AFRL-ir-RS-TR-2003-63 
Final  Technical  Report 
March  2003 


SURVIVABLE  LOOSELY  COUPLED 
ARCHITECTURES 


SRI  International 


APPROVED  FOR  PUBLIC  RELEASE;  DISTRIBUTION  UNLIMITED. 


AIR  FORCE  RESEARCH  LABORATORY 
INFORMATION  DIRECTORATE 
ROME  RESEARCH  SITE 
ROME,  NEW  YORK 


This  report  has  been  reviewed  by  the  Air  Foree  Researeh  Laboratory,  Information 
Direetorate,  Publie  Affairs  Offiee  (IFOIPA)  and  is  releasable  to  the  National  Teehnieal 
Information  Serviee  (NTIS).  At  NTIS  it  will  be  releasable  to  the  general  publie, 
ineluding  foreign  nations. 


AFRL-IF-RS-TR-2003-63  has  been  reviewed  and  is  approved  for  publication. 


APPROVED: 


JAMES  E.  SIDORAN 


Project  Engineer 


EOR  THE  DIRECTOR: 


WARREN  H.  DEBANY,  Technical  Advisor 
Information  Grid  Division 
Information  Directorate 


REPORT  DOCUMENTATION  PAGE 


Form  Approved 
0MB  No.  074-0188 


Public  reporting  burden  for  this  coliection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  compieting  and  reviewing  this  coilection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  coliection  of  information,  including 
suggestions  for  reducing  this  burden  to  Washington  Headquarters  Services,  Directorate  for  information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Ariington,  VA  22202-4302, 
and  to  the  Office  of  Management  and  Budget,  Paperwork  Reduction  Project  (0704-0188),  Washington,  DC  20503 _ 


1.  AGENCY  USE  ONLY  (Leave  blank)  2.  REPORT  DATE  3.  REPORT  TYPE  AND  DATES  COVERED 


MARCH  2003 


4.  TITLE  AND  SUBTITLE 

SURVIVABLE  LOOSELY  COUPLED  ARCHITECTURES 


6.  AUTHOR(S) 

John  Rushby,  Dawn  Xiaodong  Song,  Jonathan  K.  Millen,  Harald  Rueb,  and 
Veronique  Cortier 


Final  Aug  96  -  Dec  99 _ 


5.  FUNDING  NUMBERS 

C  -  F30602-96-C-0291 
PE  -  62301 E 
PR  -D985 
TA  -  02 
WU  -  01 


7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

SRI  International 

333  Ravenswood  Avenue 

Menlo  Park  California  94022 


8.  PERFORMING  ORGANIZATION 
REPORT  NUMBER 


9.  SPONSORING  /  MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

Air  Force  Research  Laboratory/IFGB 

525  Brooks  Road 

Rome  New  York  13441-4505 


10.  SPONSORING  /  MONITORING 
AGENCY  REPORT  NUMBER 

AFRL-IF-RS-TR-2003-63 


11.  SUPPLEMENTARY  NOTES 


AFRL  Project  Engineer:  James  L.  Sidoran/IFGB/(315)  330-3174/  James.Sidoran@rl.af.mil 


12a.  DISTRIBUTION  /  AVAILABILITY  STATEMENT 

APPROVED  FOR  PUBLIC  RELEASE;  DISTRIBUTION  UNLIMITED. 


12b.  DISTRIBUTION  CODE 


13.  ABSTRACT  (Maximum  200  Words) 

The  objective  of  this  research  was  to  develop  mechanisms  and  methods  of  analysis  to  support  construction  of 
survivable  systems  where  survivable  means  systems  able  to  withstand  multiple  kinds  of  faults  among  their  components, 
including  those  induced  deliberately  by  an  active  attacker.  One  class  of  architectures  for  survivability  builds  on  classical 
methods  for  fault  tolerance,  in  which  replication  and  voting  are  used  to  mask  faults.  An  alternative  class  of  methods 
requires  less  tight  coordination,  giving  rise  to  loosely  coupled  architectures.  Mechanisms  that  support  survivability  in 
loosely  coupled  architectures  are  typically  based  on  cryptography,  and  much  of  the  work  performed  in  this  project 
focused  on  development  of  suitable  cryptographic  protocols  and  on  their  formal  verification.  In  the  course  of  the  project, 
the  state  of  the  art  was  advanced  from  one  where  formal  verification  of  these  protocols  was  a  tour  de  force  to  one  where 
it  may  be  considered  routine  and  available  for  general  deployment.  The  outputs  of  this  research  are  documented  in  a 
series  of  technical  papers  (with  associated  abstracts)  that  follow. 


14.  SUBJECT  TERMS 

Survivable  Systems,  Loosely  Coupled  Architectures,  Fault  Tolerant  Methods, 
Cryptographic  Protocols 


15.  NUMBER  OF  PAGES 

131 


16.  PRICE  CODE 


17.  SECURITY  CLASSIFICATION  18.  SECURITY  CLASSIFICATION  19.  SECURITY  CLASSIFICATION  |  20.  LIMITATION  OF  ABSTRACT 
OF  REPORT  OF  THIS  PAGE  OF  ABSTRACT 


UNCLASSIFIED 


NSN  7540-01-280-5500 


UNCLASSIFIED 


UNCLASSIFIED 


Standard  Form  298  (Rev.  2-89) 

Prescribed  by  ANSI  Std.  Z39-18 
298-102 


Table  of  Contents 


Part  1:  Introduction . 1 

Bibliography . 4 

Part  II;  Technical  Papers . 5 

Appendix  I;  Secure  Auetions  in  a  Publish/Subscribe  System . 6 

Appendix  2:  A  Neeessarily  Coneurrent  Attaek . 24 

Appendix  3:  Protoeol-Independent  Seereey . 51 

Appendix  4:  Loeal  Seereey  for  State-Based  Models . 68 

Appendix  5:  Proving  seereey  is  easy  enough . 80 

Appendix  6:  An  Overview  of  Formal  Verifieation  for  the  Time-Triggered 

Arehiteeture . 104 


Part  I:  Introduction 


This  report  covers  the  period  August  28,  1996  through  December  31,  1999,  and  docu¬ 
ments  work  performed  by  SRI  International  for  Rome  Laboratory  Contract  F30602-96-C- 
0291,  Arpa  Order  E301. 

The  objective  of  this  research  was  to  develop  mechanisms  and  methods  of  analysis  to 
support  construction  of  survivable  systems.  By  survivable  systems,  we  mean  those  able 
to  withstand  multiple  kinds  of  faults  among  their  components,  including  those  induced 
deliberately  by  an  active  attacker.  One  class  of  architectures  for  survivability  builds  on 
classical  methods  for  fault  tolerance,  in  which  replication  and  voting  are  used  to  mask 
faults.  These  methods,  however,  require  tight  coordination  among  the  replicas  and  may  fail 
to  make  progress  if  certain  connectivity  requirements  are  not  satisfied  (e.g.,  if  there  is  no 
majority  clique  in  a  partitioned  network).  An  alternative  class  of  methods  requires  less  tight 
coordination,  giving  rise  to  loosely  coupled  architectures. 

Mechanisms  that  support  survivability  in  loosely  coupled  architectures  are  typically 
based  on  cryptography,  and  much  of  the  work  performed  in  this  project  focused  on  devel¬ 
opment  of  suitable  cryptographic  protocols  and  on  their  formal  verification.  In  the  course 
of  the  project  we  advanced  the  state  of  the  art  from  one  where  formal  verification  of  these 
protocols  was  a  tour  de  force  to  one  where  it  may  be  considered  routine  and  available  for 
general  deployment.  The  outputs  of  this  research  are  documented  in  a  series  of  technical  pa¬ 
pers  that  are  collected  in  Part  II  of  this  report.  Below,  we  provide  an  index  and  abstracts  for 
these  papers.  Several  of  them  were  selected  for  presentation  at  major  scientific  conferences, 
and  we  also  provide  citations  for  these  publications. 

Secure  Auctions  in  a  Publish/Subscribe  System  (page  6). 

The  project  began  with  the  design  and  verification  of  a  protocol  for  fault-tolerant  and 
secure  service  for  sealed-bid  auctions  in  a  loosely  coupled  system. 

Abstract  We  present  an  approach  to  provide  a  fault-tolerant  and  secure  service  for 
sealed-bid  auctions.  The  solution  is  designed  for  a  loosely  coupled  publish-subscribe 
system.  It  employs  multiple  auction  servers  and  achieves  validity  and  security  prop¬ 
erties  through  application  of  secret-sharing  methods  and  public-key  encryption  and 
signatures.  It  can  tolerate  Byzantine  failures  of  one  third  of  the  auction  servers  and 
any  number  of  bidders.  A  verification  of  the  desired  properties  has  been  machine 
checked  using  PVS.  This  work  also  provides  insight  and  useful  experience  in  tech¬ 
niques  for  specifying  and  verifying  this  type  of  system. 

A  Necessarily  Concurrent  Attack  (page  2  4).  Published  as  [1]. 

The  project  next  established  that  certain  classes  of  attacks  on  protocols  can  be 
mounted  in  a  concurrent  system  but  not  in  a  sequential  system.  Thus,  the  intruder 
is  strictly  more  powerful  in  a  concurrent  system,  and  the  burden  of  verification  cor¬ 
respondingly  greater. 


1 


Abstract  An  artificial  protocol  called  the  “ffgg”  protocol  is  constructed,  with  an 
assumed  security  objective  to  keep  a  certain  data  item  secret.  A  message  modification 
attack  is  given  that  exposes  the  data  item;  in  this  attack  there  are  two  concurrently 
running  responder  processes  belonging  to  the  same  agent.  To  show  that  a  concurrent 
attack  is  necessary,  we  use  an  inductive  approach  to  prove  that  the  protocol  is  secure 
under  the  assumption  that  this  kind  of  concurrency  is  excluded. 

Protocol-Independent  Secrecy  (page  51).  Published  as  [2]. 

Formal  verifications  of  cryptographic  protocols  have  previously  been  monolithic. 
This  paper  introduces  a  decomposition  method  for  dividing  the  verification  into  two 
components,  thereby  allowing  reuse  and  reducing  the  overall  effort  required. 


Abstract  Inductive  proofs  of  secrecy  invariants  for  cryptographic  protocols  can  be 
facilitated  by  separating  the  protocol-dependent  part  from  the  protocol-independent 
part.  Our  Secrecy  theorem  encapsulates  the  use  of  induction  so  that  the  discharge  of 
protocol-specific  proof  obligations  is  reduced  to  first-order  reasoning.  Secrecy  proofs 
for  Otway-Rees  and  the  corrected  Needham-Schroeder  protocol  are  given. 

Local  Secrecy  for  State-Based  Models  (page  6  8).  Published  as  [3]. 

The  next  paper  illustrates  the  verification  techniques  introduced  by  the  previous  pa¬ 
per,  using  extracts  from  actual  verifications  performed  using  SRTs  PVS  verification 
system. 


Abstract  Proofs  of  secrecy  invariants  for  cryptographic  protocols  can  be  facilitated 
by  separating  the  protocol-dependent  part  from  the  protocol-independent  part.  Our 
Secrecy  theorem  encapsulates  the  use  of  induction  so  that  the  discharge  of  protocol- 
specific  proof  obligations  is  reduced  to  first-order  reasoning.  The  theorem  has  been 
proved  and  applied  in  the  PVS  environment  with  supporting  protocol  representation 
theories  based  on  a  state-transition  model.  This  technique  has  been  successfully  ap¬ 
plied  to  both  standard  benchmark  examples  and  to  parts  of  the  verification  of  the 
Enclave  group  management  system. 

Proving  secrecy  is  easy  enough  (page  80).  Published  as  [4]. 

The  decomposition  method  developed  in  the  previous  two  papers  facilitates  system¬ 
atic  development  of  secrecy  proofs.  The  next  paper  presents  the  culmination  of  this 
element  of  the  research:  a  completely  systematic  method  that  allows  easy  verification 
of  challenging  cryptographic  protocols. 


2 


Abstract  We  develop  a  systematie  proof  proeedure  for  establishing  seereey  results 
for  eryptographie  protoeols.  Part  of  the  proeedure  is  to  reduee  messages  to  simplified 
eonstituents,  and  its  eore  is  a  seareh  proeedure  for  establishing  seereey  results.  This 
procedure  is  sound  but  incomplete  in  that  it  may  fail  to  establish  secrecy  for  some 
secure  protocols.  However,  it  is  amenable  to  mechanization,  and  it  also  has  a  conve¬ 
nient  visual  representation.  We  demonstrate  the  utility  of  our  procedure  with  secrecy 
proofs  for  standard  benchmarks  such  as  the  Yahalom  protocol. 

An  Overview  of  Formal  Verification  for  the  Time-Triggered  Architecture  (page  104). 

Published  as  [5]. 

In  parallel  to  formal  verification  of  cryptographic  protocols,  we  also  performed 
research  on  formal  verification  of  algorithms  for  the  Time-Triggered  Architecture 
(TTA),  which  is  being  adopted  for  critical  control  applications  in  both  civil  and  mil¬ 
itary  domains  (for  example,  it  is  used  in  a  new  engine  controller  for  the  F16).  Al¬ 
though  not  loosely  coupled,  we  considered  that  the  very  well  defined  verificafion 
challenges  presented  by  TTA  would  provide  an  excellenf  driver  for  developmenf  of 
new  techniques.  This  proved  fo  be  fhe  case,  as  fhe  diagrammatic  formal  verifica¬ 
tion  mefhod  developed  for  fhe  TTA  membership  algorifhm  was  subsequenfly  applied 
successfully  (in  anofher  DARPA  projecf)  fo  fhe  loosely  coupled  Enclaves  archifec- 
fure  [6]. 


Abstract  We  describe  formal  verification  of  some  of  fhe  key  algorifhms  in  fhe 
Time-Triggered  Archifecfure  (TTA)  for  real-time  safefy-crilical  confrol  applicafions. 
Some  of  fhese  algorifhms  pose  formidable  challenges  fo  currenf  fechniques  and  have 
been  formally  verified  only  in  simplified  form  or  under  resfricfed  faulf  assumpfions. 
We  describe  whaf  has  been  done  and  whaf  remains  fo  be  done  and  indicate  some 
directions  fhaf  seem  promising  for  fhe  remaining  cases  and  for  increasing  fhe  au- 
fomafion  fhaf  can  be  applied.  We  also  describe  fhe  larger  challenges  posed  by  formal 
verification  of  fhe  interaction  of  fhe  consfifuenf  algorifhms  and  of  fheir  emergenf 
properfies. 


3 


Bibliography 


[1]  Jonathan  K.  Millen.  A  necessarily  parallel  attack.  In  Nevin  Heintze  and  Edmund 
Clarke,  editors,  Workshop  on  Formal  Methods  and  Security  Protocols  (Part  of  the  Fed¬ 
erated  Logic  Conference,  FLoC),  Trento,  Italy,  July  1999. 

[2]  Jon  Millen  and  Harald  RueB.  Protocol-independent  secrecy.  In  Michael  Reiter  and 
Roger  Needham,  editors.  Proceedings  of  the  Symposium  on  Security  and  Privacy,  pages 
110-119,  Oakland,  CA,  May  2000.  IEEE  Computer  Society. 

[3]  Harald  RueB  and  Jonathan  Millen.  Eocal  secrecy  for  state-based  models.  In  Workshop 
on  Formal  Methods  and  Computer  Security  (held  in  association  with  the  Conference 
on  Computer  Aided  Verification,  CAV),  Chicago,  IE,  July  2000. 

[4]  Veronique  Cortier,  Jon  Millen,  and  Harald  RueB.  Proving  secrecy  is  easy  enough.  In 
14th  Computer  Security  Foundations  Workshop,  pages  97-108,  Cape  Breton,  Novia 
Scotia,  Canada,  June  2001.  IEEE  Computer  Society. 

[5]  John  Rushby.  An  overview  of  formal  verification  for  the  time-triggered  architecture. 
In  Werner  Damm  and  Ernst-Riidiger  Olderog,  editors.  Formal  Techniques  in  Real-Time 
and  Fault-Tolerant  Systems,  volume  2469  of  Lecture  Notes  in  Computer  Science,  pages 
83-105,  Oldenburg,  Germany,  November  2002.  Springer- Verlag. 

[6]  B.  Dutertre,  H.  Saidi,  and  V.  Stavridou.  Intrusion-tolerant  group  management  in  En¬ 
claves.  In  The  International  Conference  on  Dependable  Systems  and  Networks,  pages 
203-212,  Goteborg,  Sweden,  July  2001.  IEEE  Computer  Society. 


4 


Part  II 


Technical  Papers 


Secure  Auctions  in  a  Publish/Subscribe  System  * 


Dawn  Xiaodong  Song 
Carnegie  Mellon  University 
sky  xd  @  cs .  emu .  edu 


Jonathan  K.  Millen 
SRI  International 
mi11en@cs1.sri.com 


Abstract 

We  present  an  approach  to  provide  a  fault-tolerant  and  secure  service  for  sealed-bid 
auctions.  The  solution  is  designed  for  a  loosely  coupled  publish/subscribe  system.  It 
employs  multiple  auction  servers  and  achieves  validity  and  security  properties  through 
application  of  secret-sharing  methods  and  public -key  encryption  and  signatures.  It 
can  tolerate  Byzantine  failures  of  one  third  of  the  auction  servers  and  any  number  of 
bidders.  A  verification  of  the  desired  properties  has  been  machine-checked  using  PVS. 
This  work  also  provides  insight  and  useful  experience  in  techniques  for  specifying  and 
verifying  this  type  of  system. 


1  Introduction 

The  transition  from  traditional  financial  procedures  to  novel  electronic  and  digital  proce¬ 
dures  is  taking  place  worldwide  at  a  surprisingly  high  speed.  Electronic  commerce  sys¬ 
tems,  such  as  electronic  trading,  electronic  banking,  and  electronic  exchanges  are  becom¬ 
ing  critical  systems  for  society.  As  is  the  case  with  the  traditional  forms  of  critical  systems, 
electronic  commerce  systems  often  require  safety  and  reliability  guarantees.  They  must  be 
scalable  and  adaptable.  They  also  require  security  properties  such  as  secrecy,  anonymity, 
and  non-repudiation. 

It’s  also  commonly  agreed  that  formal  specification  and  verification  are  needed  to  pro¬ 
vide  solutions  of  this  kind  [15]  [8]  [10].  Many  hand-checked  protocols  are  found  to  be 
flawed  via  formal  methods  after  they  are  proposed  [5]  [9]  [6].  But  there  is  still  a  lack  of  in¬ 
structive  experience  and  a  systematic  way  of  combining  system  building  blocks  and  formal 
specification  and  verification  techniques  to  provide  a  real  solution. 

Motivated  by  these  problems,  we  studied  one  of  these  electronic  commerce  systems, 
sealed-bid  secure  auction  service.  A  sealed-bid  auction  is  one  in  which  secret  bids  are 
issued  for  a  certain  item,  and  when  the  bidding  is  closed,  the  bids  will  be  opened  and  the 
winner  will  be  chosen  according  to  certain  publicly  known  rules.  Sealed-bid  auctions  are 

*This  work  was  supported  by  the  U.S.  Government  under  contract  no.  F30602-96-C-0291 


6 


used  in  auctioning  of  various  contracts,  and  in  the  sale  of  different  types  of  goods,  such  as 
artwork  and  real  estate  [4]  [14]. 

Besides  efficiency  and  scalability,  sealed-bid  auctions  have  strong  security  require¬ 
ments.  The  identity  of  the  bidders  and  the  contents  of  the  bids  should  not  be  revealed 
until  the  bidding  is  closed.  After  the  bidding  is  closed,  no  more  bids  should  be  accepted 
as  valid  bids.  The  auction  service  should  be  able  to  tolerate  a  certain  degree  of  corruption 
of  the  insiders  in  the  auction  house  and  the  maliciousness  of  some  bidders.  In  an  internet 
environment,  it  is  necessary  to  provide  the  required  functional  and  security  properties  in  the 
face  of  unreliable  network  communication  and  random  failures  of  important  components 
such  as  auction  servers. 

Franklin  and  Reiter  have  given  a  solution  in  the  context  of  monetary  bids  [4].  Their 
solution  is  focused  on  using  a  cryptographic  technique  to  provide  protections  to  monetary 
bids,  such  as  digital  cash  bids.  It  inherits  certain  properties  from  the  digital  cash  scheme 
used  for  the  bids.  In  their  solution,  every  bidding  message  and  auction  server  synchroniza¬ 
tion  message  requires  atomic  multicast  [13]  primitives,  which  can  be  a  bottleneck  in  a  large 
system. 

In  this  paper  we  present  a  new  approach  which  is  built  on  a  loosely  coupled  architecture 
and  does  not  require  atomic  multicast.  Loosely  coupled  publish/subscribe  architectures 
have  been  widely  used  for  scalable,  adaptable  distributed  systems  [11].  Their  flexibility 
makes  them  a  desirable  infrastructure  for  many  applications,  but  they  generally  lack  fault 
tolerance  and  security  support  in  malicious  environments.  Our  challenge  is  to  integrate  fault 
tolerance  and  security  in  a  loosely  coupled  publish/subscribe  architecture  in  a  systematic 
way  and  use  formal  specification  and  verification  to  increase  the  assurance  of  the  design 
correctness  [17]. 

Our  solution  is  based  on  the  the  direct  application  of  secret  sharing  and  public  key 
encryption.  It  can  tolerate  Byzantine  failures  of  one  third  of  the  auction  servers  and  any 
number  of  bidders.  It  provides  a  bid  receipt  service,  which  is  often  desirable  in  financial 
acfivifies,  and  can  be  used  by  fhe  bidder  fo  prove  fhaf  a  bid  was  entered  before  fhe  bid¬ 
ding  was  closed.  We  use  PVS  for  formal  specificalion  and  verificalion  of  fhe  sysfem  and 
fhe  properfies  [12].  A  resulting  prototype  is  in  process  fo  demonsfrafe  fhe  efficiency  and 
scalabilify  of  fhe  sysfem. 

The  resf  of  fhe  paper  is  organized  as  follows:  fhe  desired  properfies  of  fhe  auction  are 
summarized  in  fhe  nexf  secfion.  In  Section  3,  we  presenf  fhe  basic  building  blocks  of  fhe 
system  and  fhe  crypfographic  primifives  needed  in  fhe  design.  In  Section  4,  we  give  an 
informal  description  of  fhe  profocol  in  defail.  In  Section  5,  we  give  an  overview  of  fhe 
formal  specificalion  of  fhe  sysfem  and  some  abslraclion  techniques.  In  Secfion  6,  we  lisl 
fhe  desired  sysfem  properfies  as  specified  in  PVS  and  explain  how  we  used  PVS  to  prove 
fhese  properties.  Some  issues  are  discussed  in  Secfion  7. 


7 


2  Auction  Properties 


The  auction  scheme  is  designed  for  any  number  of  bidders  and  auction  servers  (also  called 
auctioneers).  Some  of  the  auction  servers  and  bidders  may  be  faulty  by  either  intentionally 
or  incompetently  failing  to  follow  the  specification  of  the  protocol.  The  failure  model  and 
other  environmental  assumptions  are  discussed  in  detail  later. 

The  desired  properties  of  the  auction  are  as  follows: 

1.  The  bidding  period  starts  only  if  at  least  one  good  auction  server  decides  that  it 
should. 

2.  A  good  auction  server  stops  accepting  bids  only  after  at  least  one  other  good  auction 
server  decides  that  the  bidding  period  should  be  closed. 

3.  The  identity  of  the  bidders  and  the  content  of  their  bids  are  not  revealed  until  the 
bidding  is  closed. 

4.  After  the  bidding  period  is  closed,  no  more  bids  are  accepted  as  valid. 

5.  Bidders  are  provided  with  evidence  to  prove  that  their  bids  are  accepted  before  the 
bidding  is  closed. 

6.  Winning  bid  will  be  determined  according  to  certain  publicly  known  rules. 

At  the  end  of  the  auction,  a  winning  bid  is  selected.  Guarantees  regarding  the  authen¬ 
ticity,  nonrepudiation,  and  collectability  of  the  bids  are  not  provided  by  the  protocol  itself, 
but  those  issues  can  be  addressed  separately  through  construction  of  the  bid  contents. 

3  Building  Blocks 

The  three  architectural  components  of  the  system  are: 

•  a  loosely  coupled  publish/subscribe  system, 

•  a  set  of  cryptographic  primitives,  and 

•  an  auction  protocol. 

The  first  two  of  these  are  summarized  below.  The  principal  contribution  of  this  paper  is 
the  design  and  verification  of  the  auction  protocol,  as  described  in  subsequent  sections. 


3.1  System  Characteristics 

3.1.1  Loosely  Coupled  Systems 

Loosely  coupled  systems  have  been  developed  to  meet  the  need  for  large-scale  survivable 
distributed  systems  [11].  The  distinction  between  a  loosely  coupled  system  and  a  tightly 
coupled  one  lies  in  the  way  they  handle  process  groups  [1].  In  a  tightly  coupled  system 
there  is  a  strong  notion  of  group,  sharing  a  common  view  of  the  group  membership  and  the 
state  of  the  system.  A  tightly  coupled  system  often  requires  reliable  multicast  and  atomic 
multicast  [13].  The  group  membership  protocol  and  reliable  and  atomic  multicast  primitives 
are  complex  and  expensive  to  implement  and  can  be  a  bottleneck  of  a  system. 

Loosely  coupled  systems,  by  contrast,  do  not  need  a  strong  notion  of  group  member¬ 
ship.  Instead  of  atomic  multicast,  they  often  use  a  publish/subscribe  infrastructure  where 
components  acting  in  the  role  of  publishers  or  subscribers  communicate  through  a  virtual 
bus  (often  called  an  “infobus”).  Their  great  flexibility,  adaptability  and  efficiency  have 
made  such  systems  suitable  for  very  large  and  wide-area  networks. 

3.1.2  Publish/Subscribe  Architecture 

In  a  publish/subscribe  system,  messages  have  a  subject  and  a  content  field.  Publishers 
publish  messages  under  certain  subjects.  Subscribers  subscribe  to  subjects  of  interest  and 
receive  the  messages  that  are  published  under  those  subjects.  Publish/subscribe  systems  are 
flexible  because  the  subjects  and  contents  of  messages  are  minimally  constrained  by  the 
core  communication  architecture.  Subjects  may  have  hierarchically  organized,  application- 
defined  modifiers  or  subtopics,  and  the  format  of  the  message  content  can  be  defined  freely 
according  to  the  needs  of  the  applications.  Publish/subscribe  also  provides  anonymity  of 
publishers  and  subscribers. 

For  the  auction  scheme,  there  will  be  an  auction  subject,  with  modifiers  identifying  a 
particular  auction  and  indicating  whether  the  message  is  intended  for  auction  servers  or 
bidders.  Auction  Servers  and  bidders  both  publish  and  subscribe  to  appropriate  message 
subjects  as  defined  by  the  protocol.  For  each  particular  auction,  there  is  a  fixed  set  of 
auction  servers  of  known  size. 

The  subject  field  and  subscription  mechanism  cannot  be  depended  upon  to  support  se¬ 
curity  objectives  such  as  authenticating  authorized  publishers  or  restricting  distribution  of 
particular  types  of  messages.  For  these  and  other  security  functions,  we  make  use  of  addi¬ 
tional  cryptographic  services. 

3.1.3  Failure  Model 

The  failure  model  has  two  aspects:  the  reliability  of  message  delivery  in  the  network  and 
the  correctness  of  infobus  clients,  either  auction  servers  or  bidders. 


9 


The  network  is  not  assumed  to  be  totally  reliable.  Messages  ean  be  delayed  or  lost  or 
reeeived  out  of  order.  However,  the  protoeol  is  not  designed  for  arbitrary  network  failure  or 
indefinite  denial  of  message  delivery.  It  would  not  make  sense  to  assume  that  an  attaeker 
ean  intereept  any  and  all  messages,  sinee  then  the  attaeker  ean  simply  intereept  all  bidding 
messages  from  other  bidders  and  only  let  its  own  bid  go  through. 

It  is  assumed  that  published  messages  will  be  delivered  to  a  suffieiently  large  portion  of 
the  network  within  a  bounded  time.  That  is,  any  routing  failures  or  denial  of  serviee  attaeks, 
whether  they  are  permanent  or  intermittent,  ean  affeet  only  relatively  small  segments  of  the 
network.  By  “relatively  small,”  we  refer  to  the  proportion  of  auetion  servers  that  may 
be  affeeted.  Sinee  nothing  is  said  about  order  of  delivery,  this  assumption  does  not  fall 
precisely  into  previously  defined  categories  of  “unreliable”  or  “reliable”  communication  in 
sources  such  as  [4]  and  [11]. 

The  second  aspect  of  the  failure  model  is  the  possible  dishonesty  of  auction  servers, 
possibly  in  collusion  with  bidders.  We  adopt  a  Byzantine  failure  model  in  which  faulty 
auction  servers  may  depart  from  the  auction  server  protocol,  withhold  messages  expected 
from  it,  subscribe  to  all  auction-related  messages,  and  publish  all  kinds  of  auction-related 
messages.  A  bidder  may  also  be  faulty  and  misbehave  by  submitting  improper  bids  or 
publishing  them  at  improper  times. 

A  “good”  auction  server  is  one  that  is  not  faulty  and  lies  in  a  segment  of  the  network 
where  messages  published  to  other  good  auction  servers  will  be  received  by  all  good  auc¬ 
tion  servers  in  a  bounded  time.  In  practice,  it  may  be  necessary  to  send  messages  repeatedly 
to  ensure  delivery,  and  this  can  be  a  normal  function  of  the  basic  publish/subscribe  trans¬ 
mission  protocol.  The  bounded-time  assumption  is  discussed  further  in  the  Issues  section 
at  the  end. 

We  assume  that  at  most  a  specified  number  t  of  the  n  auction  servers  are  not  good,  and 
that  n  >  3f  -f  1.  Any  number  of  bidders  may  be  faulty  or  isolated  in  parts  of  the  network 
behind  unreliable  routers.  Some  bids  may  be  lost  for  this  reason. 

3.2  Security  Support 

3.2.1  Public  Key  Infrastructure 

The  protocol  will  make  use  of  a  public-key  cryptosystem  that  must  be  used  by  auction 
servers  and  bidders  for  encrypting  and  signing  messages,  as  called  for  in  the  protocol.  We 
assume  that  there  is  a  certification  authority  that  can  provide  public  key  certificates  prior 
to  the  auction.  Implementing  a  practical  public-key  certification  infrastructure  is  nontrivial, 
but  this  task  is  separable  from  the  conduct  of  the  auction.  In  fact,  there  may  be  many 
services  other  than  an  auction  service  that  would  make  use  of  common  key  management 
facilities. 

One  auction-service-specific  function  is  required  of  the  certificate  authority:  the  certifi¬ 
cate  for  an  auction  server’s  public  key  should  indicate  that  its  role  as  an  auction  server  is 
authorized. 


10 


3.2.2  Secret  Sharing 

We  also  need  a  threshold  seeret  sharing  seheme.  An  (m,  n)-threshold  seheme  permits  a 
message  to  be  projeeted  onto  n  shares  sueh  that  any  m  of  them  ean  be  eombined  to  reeon- 
struet  the  original  message,  but  less  than  m  of  them  eannot.  Several  algorithms  for  this  are 
given  in  Seetion  23.2  of  [19]. 

4  Protocol  Description 

We  assume  that  there  are  a  set  of  n  auetion  servers,  denoted  by  Si,...,Sn-  The  number  n 
is  fixed  for  a  given  auetion.  We  assume  that  n  >  3f  +  1.  For  brevity,  we  refer  to  auetion 
servers  as  “servers,”  though  teehnieally  they  are  “elients”  on  the  infobus.  Si  has  server  ID 
Si-  There  may  be  any  number  of  bidders  Bj,  with  identifiers  bj.  The  auefion  has  a  unique 
auefion  ID,  denofed  as  aid. 

All  messages  relafing  fo  fhis  auefion  are  published  under  an  “auefion”  subjeef  qualified 
by  fhe  auefion  ID.  Some  messages  are  infended  solely  for  auefion  servers  or  bidders,  and 
for  effieieney  fhaf  faef  may  be  indieafed  as  a  subjeef  modifieafion  as  well.  From  an  absfraef 
or  seeurify  poinf  of  view,  if  does  nol  mailer  whelher  a  field  is  pari  of  fhe  subjeef  or  pari  of 
fhe  eonlenl  of  a  message,  and  we  assume  lhal  hoslile  parlies  ean  eavesdrop  on  all  messages. 
For  simplieily  of  fhe  represenlalion,  we  inlroduee  some  shorlhand  denolalions. 

For  any  message  a,  [a]*  is  fhe  enerypfion  of  a  by  server  Si’s  publie  key.  If  is  assumed 
lhal  any  auefion  parlieipanf  ean  look  up  and  use  Si’s  publie  key  given  Si- 

For  any  message  a,  [a],  is  a  signed  by  server  Si’s  private  key.  We  assume  lhal  a  is 
reeoverable  from  [o]*,  and  lhal  fhe  signafure  ean  be  eheeked  by  any  parlieipanf  given  Si- 
All  server  messages  in  fhe  proloeol  are  signed,  so  lhal  olher  servers  will  know  Ihey  are 
aulhenlie.  This  is  imporlanl  lo  determine  subsequenl  server  aelions  and  lo  juslify  inferenees 
aboul  fhe  slale  of  good  servers.  Aulhenliealion  of  bids  is  no!  indieafed  in  fhe  proloeol 
because  if  affecls  only  fhe  internal  slruclure  of  bids,  and  if  mailers  only  for  bid  evalualion, 
which  occurs  afler  fhe  protocol  as  specified  has  concluded. 

We  use  a  (f+ 1,  n)-lhreshold  sharing  scheme,  where  t  is  fhe  maximum  tolerable  number 
of  faulty  servers.  SSFj(s)  is  fhe  ilh  share  of  a  secrel  s. 

A  server’s  slate  Iransilions  are  depicted  in  Figure  1.  A  bidder’s  slate  Iransilions  are 
depicted  in  Figure  2. 

S.l  Starting  the  bidding 

When  server  S'*  decides  that  the  bidding  should  be  started,  it  publishes  a  start  message: 
aid.,  Si,  [aid,  Start],.  When  5,  has  received  start  messages  from  at  least  f  +  1  different  other 
servers,  it  considers  the  bidding  started  and  starts  to  accept  bidding  messages  from  bidders. 


11 


Figure  1 :  Server  State  Transitions 


Figure  2:  Bidder  State  Transitions 


12 


B.l  Submitting  bids 

Suppose  a  bidder  Bj  decides  to  submit  a  bid  yj.  The  format  of  yj  will  be  discussed  later. 

Bj  breaks  yj  into  shares  Xy  =  SSFj(yj),  for  i  =  1,  Then  Bj  generates  the  bid 
message: 

Mj  =  aid,bj,  [xij]^ , [x^jT- 
This  message  is  published  to  all  servers. 

5.2  During  bidding 

When  server  Si  receives  a  bid  Mj  from  a  bidder  Bj  during  the  bidding,  it  publishes  a 
receipt: 

aid,  bj,Si,  [hash(a/(i,  Mj)], 

where  hash  may  be  any  standard  one-way  hashing  function. 

B.2  Committing  the  bids 

When  Bj  receives  a  receipt  from  Si,  it  checks  the  validity  of  the  receipt  by  checking  the 
signature  on  the  hash  value.  After  Bj  receives  valid  receipts  from  at  least  2f  +  1  different 
servers,  it  enters  its  commit  phase.  Until  then,  it  will  either  wait  or  periodically  retry  sub¬ 
mitting  the  bid.  We  assume,  essentially  as  part  of  the  definition  of  a  “good”  server,  that  ah 
good  servers  will  eventually  receive  and  acknowledge  a  correctly  formatted  bid. 

5.3  Closing  the  bidding 

When  Si  decides  that  the  bidding  should  be  closed,  it  publishes  a  signed  close  message: 


aid,  Si,  [aid,  close]  j. 

When  Si  has  received  close  messages  from  at  least  f  -|- 1  different  other  servers,  it  considers 
the  bidding  closed  and  stops  accepting  any  more  bidding  messages  from  the  bidders. 

Suppose  Si  received  Li  bids  in  total.  Let  Hi  be  the  set  of  indices  of  the  bidders  whose 
bids  were  received  by  5j.  Thus,  Ri  is  of  size  Lj.  For  each  k  €  Ri,  Si  decrypts  its  share  of 
Bk ’s  bid,  namely  Xik  ■ 

It  then  publishes  n  fingerprint  of  the  set  of  bids  that  it  has  received: 


aid.  Si ,  [hash  {aid,  { {bk  ,Xik,Mk)}k^Ri)\i 


The  fingerprint  contains  a  signed  hash  of  a  list  of  triples,  one  for  each  received  bid;  each 
triple  has  the  bidder  ID,  5j’s  bid  share,  and  the  complete  bid  message.  (Faulty  servers  may 
or  may  not  send  out  a  fingerprint  message,  but  if  they  do,  it  is  received  by  all  good  servers.) 


13 


S.4  Opening  the  bids 

After  a  bounded  time,  all  the  good  servers  should  have  stopped  reeeiving  bids,  and  have 
published  their  fingerprints.  Sinee  there  are  at  most  t  faulty  servers,  there  are  at  least  n  —  t 
fingerprints  published. 

After  a  bounded  additional  time,  eaeh  good  server  S'*  will  have  reeeived  fingerprint 
messages  from  all  other  good  servers.  They  republish  ah  the  fingerprint  messages  that  they 
have  reeeived.  The  ineonsistent  messages  will  be  eonsidered  as  from  faulty  servers  and  will 
be  disearded.  So  all  good  servers  will  have  the  same  set  of  fingerprint  messages.  Then  it 
publishes  its  bid-set  message,  eontaining  the  information  that  was  hashed  to  eompute  the 
fingerprint.  The  bid-set  message  is: 


aid,  Si,  [{{bk,Xik,Mk)}k^R^]i. 


S.5  Reconstructing  the  bids 

After  another  bounded  additional  interval,  eaeh  good  server  S'*  will  have  reeeived  ah  bid-set 
messages  sent  by  all  other  good  servers. 

When  Si  reeeives  a  bid-set  message  from  Sj,  it  first  eheeks  whether  it  matehes  the 
fingerprint  from  Sj  by  eomputing  the  hash  value.  If  they  don’t  mateh,  it  means  Sj  is  faulty 
and  that  bid-set  message  is  disearded  by  5,  (and  all  other)  good  servers.They  republish  all 
the  bid-set  messages  that  they  have  reeeived.  The  ineonsistent  messages  will  be  eonsidered 
as  from  faulty  servers  and  will  be  disearded.  So  ah  good  servers  will  have  the  same  set  of 
bid-set  messages. 

Si  reeonstruets  the  bid  from  Bj  as  follows.  Let  Tik  be  the  set  of  indiees  of  servers  Sj 
from  whom  a  bid-set  message  with  has  been  reeeived  by  S'*. 

For  eaeh  index  k  €  To-,  Si  ean  extraet  Sj’s  share  of  bid  y^,  namely  Xjk,  from  the 
jth  bid-set  message,  eompute  [xjk\K  and  eompare  this  with  the  value  from  the  bid  message 
Mk.  If  they  mateh,  the  share  Xjk  is  valid  and  ean  be  used  to  reeonstruet  the  bid  y^. 

If  Tik  eontains  at  least  f  -f  1  elements,  then  Si  eombines  those  f  -|- 1  shares  to  eonstruet 
a  value  that  should  be  equal  to  the  bid  y^. 

If  there  exists  any  j  sueh  that  [SSFj(y'^)]'^  ^  ^  where  [xjkY  is  taken  from  the  bid 

message  M^,  then  Si  diseards  the  bid  from  Bk- 

In  this  way.  Si  reeonstruets  a  set  of  bids  and  seleets  a  winner  aeeording  to  the  publiely- 
known  rule  for  the  auetion. 

Ah  the  good  servers  will  reeonstruet  exaetly  the  same  set  of  bids,  beeause  eaeh  of  them 
reeeived  the  same  set  of  bid-set  messages.  The  majority  of  the  servers  will  agree  on  a 
seleetion,  sinee  good  servers  are  in  the  majority,  and  that  seleetion  is  deelared  the  winner  of 
the  auetion.  Issues  sueh  as  authentieation  and  enforeement  of  the  bids  will  be  diseussed  in 
a  later  seetion. 


14 


5  Formal  Specification  of  the  System 


The  secure  auction  service  system  is  a  distributed  system  composed  of  asynchronous  pro¬ 
cesses,  namely,  the  auction  servers  and  bidders.  Systems  and  most  programming  language 
structures  can  be  modeled  as  state  machines  [18].  A  state  machine  consists  of  some  encod¬ 
ing  of  the  system  state,  and  the  next-state  transition  relationship. 

Compositional  reasoning  and  verification  are  often  necessary  and  desired  to  simplify 
the  complexity  of  a  verification  [3].  The  state  of  a  distributed  system  can  be  viewed  as  the 
composition  of  the  local  states  of  its  component  processes.  The  state  transition  relation,  as 
well,  can  be  decomposed  into  local  state  transitions  per  component. 

Abstraction  of  the  system  structure,  including  communication  and  cryptographic  prim¬ 
itives,  is  necessary  for  protocol  level  specification  and  verification.  In  this  section,  we 
describe  how  we  use  composition  and  abstraction  techniques  for  the  system  specification. 

For  the  secure  auction  service  system,  the  global  state  is  the  composition  of  the  local 
states  of  the  components  representing  auction  servers  and  bidders.  Each  of  these  compo¬ 
nents  operates  asynchronously  according  to  a  local  state  transition  relation.  There  are  two 
local  transition  relations,  one  for  auction  servers  and  one  for  bidders. 

All  auction  servers  have  the  same  state  structure,  and  so  do  all  of  the  bidders.  These 
structures  are  described  in  the  next  subsection. 

The  infobus  is  modeled  using  local  state  variables  that  record  the  sets  of  messages  that 
have  been  published  by  each  participant.  The  state  of  the  infobus  is  the  union  of  all  of  these 
locally-defined  sefs. 

The  global  slate  slruclure  is  summarized  schematically  in  Figure  3.  The  figure  shows 
how  Ihe  auclion  server  slale  and  Ihe  bidder  sfale  are  decomposed  info  slate  variables.  The 
infobus  slale  also  has  componenls,  each  of  which  is  derived  as  Ihe  union  of  corresponding 
local  slate  componenls. 

5.1  Abstraction  of  the  Auction  Server 

An  auclion  server  is  a  local  slate  machine  wilh  Ihe  slate  variables  shown  in  Figure  3.  The 
phase  variable  has  one  of  Ihe  values  prestart,  starting,  bidding,  closing,  opening,  recon¬ 
structing.  wantStart  and  wantClose  are  boolean  variables  lhal  indicates  when  Ihe  auction 
server  decides  lhal  il’s  time  lo  slarl  or  close,  respectively. 

start-buffer,  close  Jbuffer,  bids -buffer,  fingerprint  Jbuffer  and  bidset -buffer  are  sels  of  IDs 
identifying  servers  and  bidders  from  whom  messages  of  Ihese  kinds  have  been  received. 

openBid  is  Ihe  sel  of  IDs  identifying  bidders  whose  bid  shares  have  been  opened  by  Ihis 
auction  server,  i.e.,  Ihose  lhal  are  included  in  ils  bid-sel  message. 

holdShare -buffer  is  Ihe  sel  of  all  Ihe  shares  lhal  Ihe  auction  server  can  decrypl  from  ils 
bids  Jbuffer.  holdBid  Jbuffer  is  Ihe  sel  of  all  Ihe  bids  lhal  Ihe  auction  server  reconslrucls  al 
Ihe  end. 


15 


phase 

wantStart 

wantClose 

start_buffer 

close_buffer 

bids_buffer 

fingerprint_buffer 

bidset_buffer 

openBid 

holds  hare_btiffer 

holdBid_buffer 

sentStart 

sentClose 

receipt_buffer 

close_buffer 


bids_buffer 
receipt_buffer 
fingerprint_buffer 
share  s_buffer 


Figure  3:  Global  State  Strueture 


sendStart  and  sendClose  are  boolean  variables  that  indieate  when  the  auetion  server  has 
already  sent  out  start  or  elose  messages,  receipt  jbuffer  is  the  set  of  all  the  IDs  of  bidders 
whose  bid  it  has  aeknowledged  by  a  reeeipt. 

5.2  Abstraction  of  the  Bidder 

A  bidder  is  a  loeal  state  maehine  with  the  loeal  state  variables  shown  in  Figure  3.  good  is 
a  boolean  flag  that  indieates  whether  the  bidder  is  “good,”  that  is,  if  it  follows  the  protoeol 
speeifieation.  The  phase  variable  has  one  of  the  values  prebid,  bidding,  commit.  wantBid 
is  a  boolean  variable  that  indieates  that  when  the  bidder  deeides  that  it’s  time  to  submit  its 
bid.  receipt  Jbuffer  is  the  set  of  IDs  of  servers  from  whom  the  bidder  has  reeeived  a  reeeipt. 

5.3  Abstraction  of  the  Publish/Subscribe  Communication 

The  bus  has  a  state  with  six  eomponents.  Eaeh  eomponent  is  a  set  of  IDs  of  servers  or 
bidders  who  have  published  messages  of  eaeh  type:  start  Jjuffer,  close  Jjuffer,  bidsJjuffer, 
receipt-buffer,  fingerprint  Jjuffer  and  shares  Jjuffer.  These  sets  are  eomputed  from  eorre- 
sponding  state  variables  in  the  loeal  states  of  the  servers  and  bidders. 

In  any  state  transition  in  whieh  a  message  is  published,  that  faet  is  reeorded  in  the  loeal 
state  of  the  publisher,  and  appears  also  by  definition  in  the  state  of  the  bus.  A  message  ean 
be  reeeived  (as  indieated  in  a  loeal  state  variable)  only  if  the  message  has  previously  been 
published,  as  reeorded  in  the  eurrent  bus  state.  This  is  a  faet  about  the  eonstruetion  of  the 
next-state  transition  relation.  Also,  by  eonstruetion,  eaeh  buffer  set  is  nondeereasing. 

While  some  state  variables  eontain  sets  of  messages,  sueh  messages  are  formalized  as 
elements  of  a  primitive  type,  so  that  the  aetual  eontents  and  formats  of  protoeol  messages 
are  not  explieitly  represented  in  the  speeifieation.  Instead,  their  essential  properties  are 
axiomatized. 


6  Formal  Specification  and  Verification  of  Security  Properties 
in  PVS 

This  seetion  deseribes  how  the  auetion  protoeol  was  speeified  and  verified  using  the  PVS 
environment. 

6.1  PVS  Overview 

PVS  is  a  integrated  environment  for  speeifieation  and  automated  verifieation  developed  at 
SRI  [12].  PVS  speeifieation  language  is  based  on  higher-order  logie  with  ariehly  expressive 
type  system.  It  supports  standard  theories  of  integers,  sets,  funetions,  and  relations,  as  well 
as  the  ability  to  eonstruet  new  abstraet  data  types.  The  PVS  theorem  prover  eonsists  of  a 


17 


powerful  collection  of  inference  steps  augmented  with  a  library  of  decision  procedures  and 
the  ability  to  add  user-defined  proof  strategies. 

A  PVS  specification  is  divided  into  theories,  each  defining  a  relafed  sef  of  dafa  fypes 
and  sfafing  axioms  and  fheorems  abouf  fhem.  Dafa  fype  declarafions  resemble  fhose  in  a 
sfrongly-fyped  programming  language.  The  bulk  of  fhe  auction  service  specification  is  in  a 
single  fheory  fhaf  infroduces  types  for  fhe  sfafe  dafa  sfrucfures  summarized  above. 

The  subsecfions  below  show  how  fhe  essential  property  of  fhe  shared  secref  funclion  is 
axiomafized  and  how  fhe  auction  service  properties  are  sfafed.  A  few  remarks  abouf  PVS 
nofafion  should  be  sufficienl  fo  read  fhese  formulas. 

The  new  dafa  fypes  include  ID,  GID,  BID,  and  trace.  The  ID  fype  consisfs  of  all  aucfion 
server  IDs,  wifh  a  subfype  GID  of  good  server  IDs.  The  BID  type  is  for  bidder  IDs.  A  frace 
is,  by  definilion,  a  sequence  of  global  sfafes  beginning  wifh  an  inifial  sfafe  and  such  fhaf 
each  consecutive  pair  of  sfafes  is  consisfenf  wifh  fhe  fransifion  relation. 

Componenfs  of  a  sfrucfure  are  accessed  by  using  fhe  componenf  names  as  funclions. 
Local  sfafes  are  obfained  from  a  global  sfafe  by  indexing  on  fhe  ID,  so  fhaf,  for  example, 
fhe  holdBid  componenf  of  server  i  in  fhe  global  sfafe  g  is 
holdBid (astate { g)  (i)). 

In  PVS,  a  sef  can  be  represenfed  by  a  boolean  function.  Thus,  fhe  formula  x  E  {y\G{y)} 
would  appear  in  fhe  specification  as  G  { x ) ,  and  fhe  sef  ifself  is  wriffen  { G )  . 

The  shared-secref  function  invocation  SSFj(j)  is  wriffen  SSF  (i )  {  j  )  ,  and  card  is 
fhe  cardinalify  funcfion. 

6.2  Axiomatization  of  the  Shared  Secret  Function 

The  mafhemafical  properties  of  fhe  fhreshold  sharing  scheme  are  capfured  by  fhe  following 
axiom,  sfafing  fhaf  af  leasf  f  + 1  shares  of  a  bid  musf  be  held  by  a  server  Si,  as  indicated  in  ifs 
holdShare  sfafe  variable,  in  order  for  fhaf  server  fo  hold  fhe  reconsfrucfed  bid,  as  indicated 
in  ifs  holdBid  slate  variable.  This  is  sfafed  as  Irue  for  every  global  sfafe  in  a  frace.  The 
conlenls  of  holdBid  are  nol  affected  or  conslrained  by  any  olher  parf  of  fhe  specification. 

holdBid_true :  AXIOM 

FORALL  {tracel:trace, j:nat,i:ID,b:BID) : 
holdBid (astate (tracel { j ) ) (i)) {myBids (b) )  AND 
good  (bstate (tracel  {  j ) )  (b) )  <=> 

(EXISTS  (y : f inite_set [below [N] ] ) : 

(FORALL (a: (y) ) : 

holdShare (astate (tracel ( j ) )  (i) )  (SSF (myBids (b) )  (a)  )  )  AND 
card  (y ) >t ) 


18 


6.3  Invariants 

The  desired  properties  of  the  system  are  invariants;  they  are  true  of  every  reaehable  state, 
i.e.,  every  state  in  a  traee.  They  are  proved  induetively  by  showing  that  they  are  true  in  an 
initial  state  and  preserved  by  all  state  transitions. 

•  Safel :  THEOREM 

FORALL  (tracel:  trace,  j:nat,  gid:GID): 
phase  (astate  (tracel  {  j ) )  (gid) ) =bidding  => 

EXISTS  {i:GID):  (wantStart (astate  (tracel { j )){ i ) ) 

The  bidding  period  starts  only  after  a  good  auetion  server  deeides  that  it  should  start. 

•  Safe2:  THEOREM 

FORALL  (tracel:  trace,  j:nat,  gid:GID): 
phase  (astate  (tracel  (  j ) )  (gid) ) =opening  => 

EXISTS  (i:GID):  (wantClose (astate (tracel ( j ))( i )) ) 

A  good  auction  server  stops  accepting  bids  only  after  some  good  auction  server  de¬ 
cides  that  the  bidding  period  should  be  closed. 

•  pss:  THEOREM 

FORALL  (tracel:trace, j :nat,i:ID,b:BID) : 
holdBid (astate (tracel ( j ) ) (i) ) (myBids (b) )  AND 
good (bstate (tracel  (  j ) )  (b) )  => 

CLOSE_bid (tracel  (  j )  ) 

Before  the  bidding  is  closed,  the  identity  of  the  bidder  and  the  bids  of  the  bidder  are 
not  revealed.  CLOSE_bid(p)  is  defined  as  true  if  all  good  servers  in  global  state  g 
have  reached  at  least  the  opening  phase. 

•  Uniform:  THEOREM 

FORALL  (tracel :trace, j : nat , il : GID, 12 : GID, b : BID ) : 

(holdBid (astate  (tracel  (  j ))  (il ))  (myBids (b)  )  AND  il/=i2 
AND  Open_bid (tracel ( j ) ) 

AND  good (bstate (tracel  (  j ))  (b) ) )  => 
holdBid (astate (tracel ( j )  )  (12 ) )  (myBids (b) ) 

After  the  bids  are  reconstructed,  all  the  good  servers  reconstruct  the  same  set  of  bids. 

•  Closel:  THEOREM 

FORALL  (tracel:trace, j :nat,i:GID,b:BID) : 

(holdBid (astate  (tracel  (  j ) )  (i))  (myBids (b) )  AND 
good (bstate (tracel ( j ) ) (b) ) )  => 
validBid (tracel ( j) ) (b) 


19 


After  the  bidding  period  is  elosed,  no  more  bids  ean  be  aeeepted  as  valid  bids. 
validBid(p)(6)  is  defined  as  true  in  a  global  state  g  if  the  bid  from  b  has  been  ae¬ 
eepted  by  at  least  one  good  server. 

•  commit :  THEOREM 

FORALL  {tracel:trace,i:GID,b:BID, j:nat) : 
phase  (bstate (tracel { j ) )  (b) ) =commit 
AND  good (bstate (tracel { j ) ) (b) ) 

AND  Open_bid (tracel ( j ) ) 

=>  holdBid (astate (tracel ( j ))  (i)  ) 

If  a  good  bidder  eommits,  its  bid  is  guaranteed  to  be  reeonstrueted  and  taken  into 
final  eonsideration  as  a  in-time  bid. 


7  Design  and  Modeling  Issues 

This  seetion  diseusses  some  issues  regarding  assumptions  and  design  ehoiees  that  were 
made  in  the  present  protoeol  design. 

7.1  Other  properties  of  the  Auction 

At  the  eonelusion  of  the  protoeol  as  presented,  all  good  servers  have  opened  the  same  set  of 
bids  and  agreed  on  a  winner.  The  identity  of  the  bidder  supplying  that  bid  is  not  guaranteed 
by  the  protoeol.  Any  authentieation  or  nonrepudiation  if  needed  ean  be  provided  by  some 
other  eryptographie  primitives  and  the  format  of  the  bids  which  is  application-specific. 

7.2  Delivery  of  electronic  goods 

If  the  object  of  the  auction  is  in  electronic  form,  such  as  software  or  a  postscript  file,  our 
original  approach  can  be  extended  to  secure  delivery  as  follows.  Every  bidder  will  include 
a  public  key  in  its  bid.  Then  the  goods  can  be  transmitted  confidentially  to  the  winner  by 
using  the  public  key  provided  in  the  winner’s  bid.  This  public  key  need  not  be  certified, 
because  it  is  in  the  interests  of  the  winner  to  provide  the  correct  key,  and  the  good  servers 
will  agree  on  its  value. 

We  might  also  ask  where  the  file  to  be  awarded  was  held  prior  to  delivery  to  the  winner. 
Rather  than  trust  any  one  server  to  hold  it,  it  can  be  split  using  a  (f  -|-  1 ,  n)  secret-sharing 
scheme  among  all  servers.  Each  server  will  publish  its  own  share  encrypted  by  the  winner’s 
public  key  so  that  the  winning  bidder  will  receive  enough  shares  to  reconstruct  the  item, 
and  a  collusion  of  faulty  servers  will  not  be  able  to  reconstruct  it. 


20 


7.3  Externally  Triggered  Transitions 

Certain  state  transitions  occur  as  a  result  of  the  passage  of  time,  based  on  assumptions 
about  the  reliability  of  good  servers  and  network  message  delivery.  Good  servers  decide  to 
start  the  bidding  and  close  the  bidding  according  to  a  predefined  date/time  schedule  for  the 
auction  or  some  external  event.  They  consult  a  local  system  clock  or  receive  some  other 
events  to  trigger  those  state  changes.  The  triggering  events  may  be  out  of  synchronization, 
but  the  protocol  compensates  for  this  by  forcing  good  servers  to  undergo  the  phase  change 
when  it  has  received  signal  messages  from  f  +  1  other  servers.  The  number  f  +  1  means 
that  at  least  one  good  server  has  sent  out  its  signal. 

Event-triggered  state  changes  are  indicated  with  boolean  state  variables.  In  the  specifi¬ 
cation,  they  are  set  nondeterministically. 

7.4  Time  Bounds 

A  good  server  opens  bids  only  when  it  knows  that  all  good  servers  have  stopped  accepting 
bids  and  published  their  fingerprints.  This  knowledge  comes  not  from  having  received 
any  particular  number  of  close  or  fingerprint  messages,  but  rather  from  the  time  bound  on 
actions  of  good  servers  and  delivery  of  their  messages.  The  transition  to  opening  bids  is 
triggered  in  the  specification  by  a  predicate  on  the  global  state  testing  whether  all  good 
servers  have  published  their  fingerprint  messages. 

The  assumption  that  good  servers  can  send  messages  to  one  another  within  a  known 
time  bound  is  a  strong  but  reasonable  assumption.  The  protocol  will  fail  if  some  global 
outage  (internet  worms,  satellite  failure,  etc.)  affects  a  large  portion  of  the  network  for 
an  excessive  time.  We  are  investigating  whether  we  can  weaken  the  delivery  assumption 
by  making  use  of  failure  detectors  or  by  assuming  instead  partial  synchrony,  where  a  time 
bound  exists  but  is  not  known  [2].  Alternatively,  it  may  be  adequate  to  recognize,  when 
a  known  time  bound  passes,  that  an  insufficient  number  of  good  servers  has  responded, 
and  declare  the  auction  invalid  without  compromising  the  bids.  In  the  present  protocol,  if 
too  many  servers  go  out  of  communication,  it  is  a  liveness  rather  than  a  safety  or  security 
problem,  since  the  bids  will  remain  secret. 

8  Conclusions 

The  motivation  for  this  work  was  to  understand  whether  it  is  possible  to  integrate  fault- 
tolerance  and  security  into  loosely  coupled  publish/subscribe  systems  and  to  combine  the 
system  building  blocks  with  formal  techniques  to  provide  possible  solutions  for  electronic 
commerce  systems,  particularly  a  secure  auction  service. 

We  have  accomplished  these  goals,  and  gained  assurance  in  the  correctness  of  the  design 
through  the  use  of  an  established  specification  and  verification  facility.  One  of  the  beneficial 
consequences  of  the  verification  activity  was  a  better  understanding  of  what  assumptions  to 


21 


make  about  message  delivery,  leading  us  to  a  different  eategory  of  “reliable”  transmission 
that  is  reasonable  for  a  publish/subseribe  system. 

We  are  in  the  proeess  of  implementing  a  prototype  system  demonstrating  the  design, 
using  the  Java  Infobus  applieation  program  interfaee. 


Acknowledgements 

Thanks  to  John  Rushby  for  helpful  diseussions  and  adviee.  Thanks  to  Sergey  Berezin  and 
others  at  SRI  for  help  with  PVS. 


References 

[1]  K.  R  Birman.  The  proeess  group  approaeh  to  reliable  distributed  eomputing.  Comm. 
ACM,  1993. 

[2]  Cynthia  Dwork,  Naney  Lyneh,  and  Larry  Stoekmeyer.  Consensus  in  the  presenee  of 
partial  synehrony.  Journal  of  the  ACM,  1988. 

[3]  E.Clarke,  D.Long,  and  K.MeMillan.  Compositional  model  eheeking.  In  Proceedings 
of  the  Fourth  Annual  Symposium  on  Logic  in  Computer  Science,  pages  353-362,  1989. 

[4]  M.  K.  Franklin  and  M.  K.  Reiter.  The  design  and  implementation  of  a  seeure  aue- 
tion  serviee.  In  IEEE  Security  and  Privacy  Symposium,  pages  2-14.  IEEE  Computer 
Soeiety,  1995. 

[5]  G.Eowe.  Breaking  and  fixing  the  needham-sehroeder  publie-key  protoeol  using  FDR. 
In  Proceedings  ofTACAS,  Lecture  Notes  in  Computer  Science,  volume  1055,  1996. 

[6]  Ei  Gong,  R.Needham,  and  R.Yahalom.  Reasoning  about  belief  in  eryptographie  pro- 
toeols.  In  Proceedings  of 1990  IEEE  Symposium  on  Research  in  Security  and  Privacy, 
1990. 

[7]  E.Eamport  and  M.Pease.  The  byzantine  generals  problem.  ACM  TOPLAS,  1982. 

[8]  E.Paulson.  Proving  properties  of  seeurity  protoeols  by  induetion.  In  10th  IEEE  Com¬ 
puter  Security  Eoundations  Workshop,  1997. 

[9]  M.Burrows,  M.Abadi,  and  R.Needham.  A  logie  of  authentieation.  In  Proceedings  of 
the  Royal  Society,  volume  426  of  A,  pages  233-271,  1989. 

[10]  Catherine  Meadows.  The  NRE  protoeol  analyzer:  an  overview.  Journal  of  Logic 
Programming,  1996. 


22 


[1 1]  B.  Oki,  M.  Pfluegl,  A.  Siegel,  and  D.  Skeen.  The  information  bus  -  an  arehiteeture  for 
extensible  distributed  systems.  ACM  Operating  Systems  Review,  27(5):58-68,  1993. 

[12]  S.  Owre,  J.  M.  Rushby,  N.  Shankar,  and  F.  von  Henke.  Formal  verifieation  for  fault- 
tolerant  arehiteetures:  Prolegomena  to  the  design  of  PVS.  IEEE  Trans,  on  Software 
Engineering,  21(2):  107-125,  February  1995. 

[13]  Miehael  Reiter.  Seeure  agreement  protoeols:  Reliable  and  atomie  group  multieast 
in  rampart.  In  2nd  ACM  Conference  on  Computer  and  Communications  Security, 
November  1994. 

[14]  R.MeAfee  and  J.MeMillan.  Auetions  and  bidding.  Journal  of  Economic  Literature, 
1987. 

[15]  John  Rushby.  Formal  methods  and  their  role  in  the  eertifieation  of  eritieal  systems. 
Teehnieal  Report  SRI-CSL-95-1,  Computer  Seienee  Laboratory,  SRI  International, 
Menlo  Park,  CA,  Mareh  1995. 

[16]  John  Rushby.  Systematie  formal  verifieation  for  fault-tolerant  time-triggered  algo¬ 
rithms.  In  Mario  Dal  Cin,  Catherine  Meadows,  and  William  H.  Sanders,  editors.  De¬ 
pendable  Computing  for  Critical  Applications — 6,  volume  1 1  of  Dependable  Comput¬ 
ing  and  Eault  Tolerant  Systems,  pages  203-222,  Garmiseh-Partenkirehen,  Germany, 
Mareh  1997.  IEEE  Computer  Soeiety. 

[17]  John  Rushby  and  Eriedrieh  von  Henke.  Eormal  verifieation  of  algorithms  for  eritieal 
systems.  IEEE  Transactions  on  Software  Engineering,  19(l):13-23,  1993. 

[18]  Ered  Sehneider.  Implementing  fault-tolerant  serviees  using  state  maehine  approaeh:  a 
tutorial.  ACM  Computing  Serveys,  1990. 

[19]  B.  Sehneier.  Applied  Cryptography.  Wiley,  1996. 


23 


A  Necessarily  Concurrent  Attack  * 


Jonathan  K.  Millen 
Computer  Science  Laboratory 
SRI  International 
Menlo  Park  CA  94025  USA 

millen@csl.sri.com 
Phone:  +1  (415)  859-2358  Fax:  +l  (415)  859-2844 


Abstract 

An  artificial  protocol  called  the  “ffgg”  protocol  is  constructed,  with 
an  assumed  security  objective  to  keep  a  certain  data  item  secret.  A  mes¬ 
sage  modification  attack  is  given  that  exposes  the  data  item;  in  this  attack 
there  are  two  concurrently-running  responder  processes  belonging  to  the 
same  agent.  To  show  that  a  concurrent  attack  is  necessary,  we  use  an  in¬ 
ductive  approach  to  prove  that  the  protocol  is  secure  under  the  assumption 
that  this  kind  of  concurrency  is  excluded. 


1  Introduction 

Model  checking  has  proved  to  be  a  successful  way  to  fi  nd  vulnerabilities  in  cryptographic 
protocols.  See,  for  example,  [2, 3, 6].  If  a  model  checker  fails  to  fi  nd  an  attack,  however,  it 
may  only  mean  that  there  is  no  attack  on  the  particular  fi  nife  sysfem  analyzed.  We  would 
like  fo  know  under  whaf  conditions  an  analysis  of  a  fi  nife  sysfem  is,  or  is  nof,  suffi  cienf 
fo  jusfify  a  securify  claim  for  a  protocol  in  a  nefwork  environmenf  wifh  an  unbounded 
number  of  concurrenf  and  pasf  runs  of  fhis  and  ofher  protocols.  Under  cerfain  resfricfive 
assumptions  abouf  fhe  profocol,  Lowe  has  shown  fhaf  if  is  suffi  cienf  fo  analyze  a  sysfem 
wifh  one  honesf  agenf  in  each  role,  each  of  whom  can  run  fhe  profocol  jusf  once  wifh  fhe 
ofher  honesf  agenfs  [1].  The  purpose  of  fhis  paper  is  fo  show  fhaf  for  some  ofher  protocols, 
if  is  necessary  fo  analyze  a  sysfem  wifh  af  leasf  fwo  processes  running  fhe  same  role  for  fhe 
same  agenf. 

Furfhermore,  fhe  fwo  processes  musf  run  concurrenfly;  fhaf  is,  fhe  profocol  is  secure 
if  fhe  fwo  processes  are  serialized.  We  call  fhis  role  concurrency  fo  disfinguish  if  from  fhe 

*This  work  was  supported  by  ARPA  under  Arpa  Order  E301,  Air  Force  Rome  Laboratory  contract  no. 
F30602-96-C-0291 


24 


normal  concurrency  of  the  communicating  processes  in  complementary  roles.  It  should  also 
be  distinguished  from  the  normal  concurrency  of  independent  protocol  sessions  involving 
disjoint  sets  of  agents.  Role  concurrency  is  signifi  cant  because  state  exploration  techniques 
encounter  a  combinatorial  explosion  with  concurrent  processes  that  is  avoided  if  they  can 
be  serialized. 

An  artifi  cial  protocol  called  the  “ffgg”  protocol  is  constructed,  with  an  assumed  secu¬ 
rity  objective  to  keep  a  certain  data  item  secret.  A  message  modifi  cation  attack  is  given 
that  exposes  the  data  item;  in  this  attack  there  are  two  concurrently-running  responder  pro¬ 
cesses  belonging  to  the  same  agent.  To  show  that  a  concurrent  attack  is  necessary,  we  use 
an  inductive  approach  to  prove  that  the  protocol  is  secure  under  the  assumption  that  role 
concurrency  is  excluded.  The  proof  technique  is  based  primarily  on  Paulson’s  work  [5], 
but  it  borrows  the  “ideal”  concept  from  the  Thayer,  Herzog  and  Guttman  paper  [7],  and  the 
proof  is  constructed  and  checked  in  the  PVS  verifi  cation  environment  [4]. 

2  The  ffgg  Protocol 

In  this  protocol,  A  and  B  are  agents  (sometimes  called  “principals”),  JVi  and  N2  are  nonces, 
M  is  a  secret  message,  and  PKB  is  B’s  public  key. 

1. A^B:  A 

2. B^  A:  Ni,N2 

3.  A  ^  B  :  {Ni,N2,M}pj^Q 

4. B^A:  Ni,N2,  {iVs,  M,  Nijpj^p 


When  B  receives  message  3,  B  performs  only  certain  limited  checks  and  computations 
to  form  the  reply.  B  checks  JVi,  and  extracts  JV2  but  does  not  check  it  against  the  original 
value  generated  by  B.  We  also  assume  that  the  type  of  M  is  not  discernibly  different  from 
that  of  N2- 

The  use  of  PKB  rather  than  PKA  in  the  last  message  is  not  a  misprint.  We  do  not  claim 
that  this  protocol  is  suitable  for  any  application,  only  that  it  poses  an  interesting  problem 
for  analysis. 

We  call  this  the  “ffgg”  protocol  because  the  responder  B  has  two  state  transitions:  the 
fi  rst,  or  /-transition,  is  to  reply  to  message  1  with  message  2,  and  the  second,  or  p-transition, 
is  to  reply  to  message  3  with  message  4.  In  the  attack  scenario,  there  is  another  B  responder 
doing  /'  and  g'  transitions,  and  these  are  interleaved  concurrently  with  /  and  g  in  the  pattern 

ffgg'- 

3  The  Concurrent  Attack 

A  message-modifi  cation  attack  that  exposes  the  secret  data  item  M  is  presented  below. 


25 


An  agent  identifi  er  in  parentheses  indieates  interferenee  by  the  attaeker:  if  the  souree  is 
in  parentheses,  the  message  has  been  forged  or  modifi  ed  by  the  attaeker.  If  the  destination 
is  in  parentheses,  the  message  is  intereepted  before  it  reaehes  the  named  destination. 

There  are  two  responder  proeesses  running  for  agent  B ;  the  seeond  proeess  is  assoei- 
ated  with  primed  symbols  B\N{^N2-  Note  that,  beeause  the  seeond  responder  proeess  is 
running  on  behalf  of  the  same  agent  B,  it  still  uses  the  same  publie  key  PKB. 

l.A^B:A 

T.  (A)  B'  :A 

2a.  B  ^  (A)  :  Ni,N2 

2'.  B'  (A)  :  N{,N^ 

2b.  (B)  ^  A:  Ni,N[ 

3. A^B:{Ni,N[,M}pKB 

4. B^  (A)  :  iVi,  iV',  {N[,M,  Ni}pkb 

3'.  (A)  ^  B'  :  {Ni,M,N,}pKB 

4'.  B'  ^  (A)  :  iV',  M,  {M,  iVi, 

Having  shown  that  there  is  a  eoneurrent  attaek,  we  must  now  establish  that  role  eon- 
eurreney  is  a  neeessary  feature  of  any  sueeessful  attaek.  That  is,  we  must  prove  that  the 
protoeol  is  seeure  if  role  eoneurreney  is  disallowed.  We  do  this  by  setting  out  to  prove  that 
the  protoeol  is  seeure  as  it  stands,  and  redueing  the  proof  to  one  remaining  ease  that  fails 
only  if  role  eoneurreney  is  allowed. 

4  The  Modelling  Approach 

We  apply  Paulson’s  modelling  approaeh.  The  network  environment  is  eaptured  by  several 
rules  that  permit  message  events  to  be  appended  to  a  traee.  Most  of  the  rules  represent  state 
transitions  by  agents  following  a  speeifi  ed  role  in  the  protoeol.  Another  rule  represents  the 
fabrieation  of  message  events  by  the  “Spy.” 

The  eontent  of  a  message  is  afield  in  the  set  T  of  one  of  several  subtypes:  an  agent  in 
the  set  A,  a  nonce  in  the  set  J\f,  a  key  in  the  set  /C,  or  it  eould  be  eomputed  as  a  concatenation 
(X,  y)  for  any  X,  y  e  X  or  a  ciphertext  {X}k  for  X  E  X  and  K  ^  fC. 

In  a  more  general  eontext,  a  distinetion  would  be  made  between  publie  keys  and  sym- 
metrie  keys,  and  other  types  of  fi  elds  or  eomputations  might  be  needed. 

A  message  event  has  the  form  A  ^  B  :  X,  where  A  and  B  are  the  souree  and  destina¬ 
tion  agents,  respeetively,  and  the  fi  eld  X  is  the  message  eontent.  When  X  is  a  eoneatena- 
tion  oeeurring  as  a  message  eontent,  we  omit  the  outer  parentheses.  We  also  omit  the  outer 
parentheses  when  the  eoneatenation  is  being  enerypted,  and  there  are  braekets  around  it. 
When  we  write  a  multiple  eoneatenation  like  (X,  X,  G),  this  is  supposed  to  be  interpreted 
as  a  nested  binary  eoneatenation  that  is  parsed  right-assoeiatively,  as  (X,  (X,  G)). 


26 


We  are  taking  liberties  with  Paulson’s  terminology  -  for  example,  Paulson  would  write 
an  event  as  Says  ABX,  and  the  type  of  X  was  ealled  “message.”  Our  varianee  in  ter¬ 
minology  is  for  two  reasons:  in  most  of  the  text  we  wish  to  stay  as  elose  as  possible  to 
eonventional  protoeol  notation,  and  the  maehine-eheeked  proofs  use  a  different  PVS  for¬ 
mulation. 

The  essential  aspeets  of  Paulson’s  model  have  been  retained,  however.  In  partieular,  the 
traee  only  eontains  send  events  -  no  reeeive  events.  Also,  the  souree  agent  name  A  is  the 
true  souree  and  would  be  “Spy”  for  messages  generated  by  the  Spy.  This  address  is  not 
visible  to  the  destination  agent,  who  ean  see  only  the  message  eontent  X. 

A  trace  is  a  sequenee  of  message  events.  A  protocol  is  a  triple  (T,  S',  I)  where  T  is 
a  set  of  traees,  S  is  a  set  of  seeret  fi  elds,  and  7  is  a  set  of  fi  elds  interpreted  as  the  initial 
knowledge  of  the  Spy.  Thus,  a  protoeol,  by  our  defi  nition,  ineludes  a  seereey  poliey  and  an 
assumption  about  what  information  a  potential  attaeker  might  have. 

We  assume  that  T  is  prefi  x-elosed  (if  st  ^  T  then  s  G  T).  The  elements  of  S  are  atomie 
data  items  (keys  and  nonees)  that  are  required  to  be  proteeted  from  diselosure  to  the  Spy. 
Thus,  S  n  7  =  0  (otherwise  the  game  is  over).  Aetually,  we  need  a  stronger  eondition  given 
in  the  next  seetion. 

5  The  Secrecy  Policy 

The  seereey  poliey  for  the  protoeol  (T,  5,  7)  is  that  if  A  ^  B  :  X  oeeurs  in  some  traee 
f  e  T,  then  X  ^  S.  (This  is  what  we  want,  beeause  if  the  Spy  ever  obtains  a  seeret  item  X, 
it  ean  transmit  it  as  a  message.)  This  seereey  assertion  is  proved  induetively  as  an  invariant. 
It  is  elearly  true  for  the  null  traee,  and  our  objeetive  is  to  show  that  the  invariant  is  preserved 
by  each  of  the  rules  for  appending  events  to  traces. 

As  is  often  the  case  with  inductive  proofs,  the  invariant  has  to  be  strengthened  to  carry 
out  the  induction.  The  invariant  that  we  will  actually  prove  is  that  X  ^  7;t['S'],  where  7;t['S'] 
is  a  Thayer-Herzog-Guttman  ideal,  a  set  of  fi  elds  that  includes  S  and  which  is  closed  under 
concatenation  with  any  fi  elds  and  encryption  wifh  keys  in  k. 

As  defined  in  [7],  4 [<5]  is  fhe  smallesf  sef  of  fields  including  S  such  fhaf  for  all  X  E 
Ik  [S'] ,  keys  K  E  k,  and  fi  elds  Y, 

1.  {X,Y)Elk[S] 

2.  {Y,X)  E  7,[S] 

3.  e  7,[S] 

The  reason  for  profecfing  fhe  whole  ideal  is  fhaf  compromising  any  elemenf  of  fhe  ideal 
effeclively  compromises  some  elemenf  of  S. 

For  our  purposes,  k  is  fhe  sef  of  keys  whose  corresponding  inverse  keys  are  nof  in  S. 
Thus,  we  use  fhe  special  ideal: 


27 


J[S]  =  7^[5]  where  k  =  {K\K-^  ^  5}. 

More  generally,  an  ideal  should  be  elosed  under  all  transformations  that  are  reversible 
by  the  spy. 

We  remarked  in  the  previous  seetion  that  the  eondition  /  n  S'  =  0  is  not  enough  to  make 
(T,  S,  I)  aprotoeol.  This  is  beeause  the  spy’s  initial  knowledge  should  not  eontain  anything 
in  J[S].  Thus,  we  will  assume  that 

I  n  J[S]  =  0. 


6  Modelling  the  Spy 

Given  a  traee  representing  the  history  of  messages  already  sent,  the  spy  ean  examine  the 
eontents  of  all  messages,  analyze  them  by  deerypting  fi  elds  for  whieh  he  has  the  appropriate 
key,  and  synthesize  new  messages  from  the  fi  elds  thus  obtained.  Paulson  introdueed  the  set 
funetions  sees,  parts,  analz,  and  synth  to  deseribe  these  aetivities. 

Given  a  traee  t,  the  message  eontents  seen  by  the  spy  form  the  set  of  fi  elds: 

sees(f)  =  {X\{3A,B){A  ^  B:X)  ^t}. 

Notation.  We  are  using  E  to  denote  oeeurrenee  of  a  message  in  a  traee  as  well  as 
for  set  membership.  We  will  abbreviate  sees(f)  with  an  underline:  sees(t)  =  t.  Also,  if 
m  =  {A  ^  B  :  X),  we  will  write  m  =  X.  Thus,  t  =  {rn\m  E  t}. 

The  parts  of  a  set  G  of  fi  elds  inelude  the  eomponents  of  eoneatenations  and  the  plaintext 
of  enerypted  ti  elds. 

X  E  parts(G)  iff 
X  E  Gor 

(3y)((X,  y)  E  parts(G)  or  {Y,X)  e  parts(G))  or 
Ibk){X}k  G  parts(G). 

The  spy  eannot  analyze  out  all  the  parts,  only  those  for  whieh  he  has  the  needed  keys. 
The  spy-visible  subset  of  parts  is  analz. 

X  E  analz(G)  iff 
X  E  Gor 

(3y)((X,  y)  E  parts(G)  or  (y,  X)  E  analz(G))  or 
(3X)({X}x  e  analz(G)  andX“^  E  analz(G)). 

Fields  are  synthesized  from  existing  ones  by  eoneatenating  them  and  enerypting  them. 

X  E  synth(G)  iff 
X  E  Gor 

(3y,  y  E  G)x  =  (y,  z)  or 
(3x,y  EG)x  =  {y}x. 


28 


Paulson  showed  that  each  of  these  three  operators  is  idempotent:  that  is, 
parts(parts(G))  =  parts(G),analz(analz(G))  =  analz(G),  and  synth(synth(G))  = 
synth(G). 

Given  a  trace  t  representing  a  history  of  message  events,  the  spy  can  fabricate  new 
message  events  Spy  B  ■.  X  to  any  agent  B  provided  that  X  can  be  synthesized  from 
fi  elds  analyzed  from  t  or  already  known  initially.  Suppose  the  spy  initially  knows  the  fi  elds 
in  I.  The  predicate  Fake  gives  the  rule  for  creating  spy-fabricated  messages: 

Fake(m,  f,  I)  iff 

(3.B,  X)B  e  A  and 
m  =  Spy  B  :  X  and 
X  e  synth(analz(f  u /)). 

As  usual,  the  spy  is  assumed  to  know  the  identities  of  all  agents,  so  they  do  not  have 
to  be  included  in  I.  Other  fields  such  as  the  spy’s  own  secret  keys  have  to  be  put  into  I 
because  we  don’t  have  a  general  protocol-independent  way  to  express  them. 

7  The  Secrecy  Theorem 

The  proof  of  security  has  a  general  protocol-independent  part  and  a  protocol-specifi  c  part. 
The  “Secrecy  Theorem”  given  in  this  section  is  the  protocol-independent  part. 

A  trace  is  called  safe  if  no  fi  eld  analyzable  from  if,  using  fi  elds  in  I,  is  in  fhe  secref 
ideal.  If  every  frace  in  a  profocol  is  safe,  fhen  no  message  exposes  any  fi  eld  in  S,  and  fhe 
profocol  is  secure. 

Lef  j|;^  =  {X  e  field  ^  J[S]}. 

t  is  {S,  I) -safe  iff 

analz(f  u  I)  c  J[S']. 

The  public  sef  J[S']  has  fhe  inferesfing  and  useful  properly  lhal  if  is  closed  under  appli- 
cafion  of  analz.  This  makes  sense,  since  J[S']  is  closed  under  operafions  lhal  are  reversible 
by  analz.  This  “analz-closure”  properly  is  slated  below  and  proved  in  fhe  appendix.  If 
plays  an  imporfanl  pari  in  fhe  proof  of  fhe  Secrecy  Theorem. 

Lemma  1  (Analz-closure)  analz( J[5])  C  J[S]. 

A  profocol  is  event-safe  if,  given  a  safe  frace  of  prior  messages,  fhe  conlenl  of  fhe  nexl 
message  is  nol  in  fhe  secref  ideal.  Proving  evenl  safely  is  a  prolocol-specifi  c  aclivily.  If  is 
essentially  fhe  induction  slep  of  fhe  overall  proof. 

A  profocol  (T,  S',  I)  is  event-safe  iff 

(t  is  (S,  I) -safe  and  tm  ^T)  ^  me  J[S]. 


29 


Theorem  2  (Secrecy)  If  (T,  S',  I)  is  event-safe  then  t  is  (S,  I)-safefor  all  t  ^T. 

The  proof  of  the  Seereey  Theorem  is  in  the  appendix.  A  maehine-eheeked  PVS  proof 
also  exists. 


8  The  ffgg  Protocol  Rules 

The  formal  version  of  the  ffgg  protoeol  is  a  reeursive  predieate  defi  ning  a  set  of  traees.  The 
defi  nition  says  that  a  message  event  may  be  appended  to  a  traee  if  it  is  permitted  by  any  of 
fi  ve  rules,  of  whieh  one  is  the  Fake  rule  and  the  others  eorrespond  to  the  four  messages  in 
the  normal  protoeol  sequenee.  A  “rule”  is  just  a  predieate  relating  a  possible  new  message 
to  a  prior  traee. 

ffgg(f)  iff 

null(f)  or 

t  =  sm  where  ffgg(s)  and 

(Fake(m,  s,  I)  or 

al(m,  s)  or 

bf(m,  s)  or 

a2(m,  s)  or 

bg(m,s)). 

The  message-generating  rules  are  given  below.  The  messages  in  this  version  of  the 
protoeol  are  somewhat  more  elaborate  than  before.  The  message  number  and  the  identity 
of  the  sender  have  been  added  to  the  eontent  of  eaeh  message  (sinee  the  aetual  souree  will 
not  be  visible  to  the  reeipient). 

Terminology:  M  is  a  fi  xed  seeret  fi  eld  that  may  be  sent  to  any  agent  exeept  the  Spy. 
There  is  a  funetion  pk  that  maps  any  agent  to  its  publie  key. 

al(m,  t)  iff 

(3A,  B)A  /  B  and 
m  =  {A^  B:1,A) 

bf(m,  t)  iff 

{BA,B,C,Ni,N2) 
m  —  B  ^  A  :  2,B,Ni,N2  and 
{C  ^  B:  Ni,A)  e  f  and 
M  Ni  parts(f)  and 
M  ^  N2  ^  pai'ts(f) 


a2(m,  t)  iff 

(3A,5,C',iVi,iV2,M') 


30 


m  —  A^B:  3,  A,  {Ni,  N2,  and 

{B  /  Spy  or  M'  7^  M)  and 
M'  ^  parts(£)  and 
{C  ^  A:2,B,Ni,N2) 

bg(m,  t)  iff 

{3A,B,C,X,Y,Ni,N2) 

B  ^  A:  4:,Ni,X,{X,Y,  and 

(C  ^  i?  :  3,  A  {iVi,  X,  e  f  and 

{B  ^  A:  2,B,Ni,N2)  €  f  and 
{yZ){B  A:4,Ni,Z) 

The  al  rule  should  need  no  explanation,  but  the  rest  probably  do.  Note  that  the  agent 
identifi  ers  A^  B,  ete.,  are  variables.  These  rules  ean  be  used  by  any  agents  at  any  time,  and 
the  generated  traee  eould  be  a  mixture  of  any  number  of  sessions. 

In  bf,  the  eonditions  that  Ni  and  N2  do  not  oeeur  in  t  imply  that  Ni  and  N2  are  fresh; 
they  have  not  been  used  before.  The  faet  that  Ni  and  N2  are  not  guessable  by  the  spy  is 
implieit  in  the  faet  that  they  eannot  be  generated  by  a  Fake  message.  If  we  wanted  them  to 
be  guessable,  we  would  add  them  to  the  initial  knowledge  I.  Freshness  is,  of  eourse,  not 
implemented  by  reading  the  traee,  but  instead  by  generating  nonees  randomly. 

In  bf  and  most  of  the  other  rules,  there  is  nothing  to  prevent  an  agent  from  generating  the 
same  message  repeatedly,  whieh  would  not  be  allowed  with  a  more  standard  state-transition 
proeess  speeifi  eation.  The  extra  messages  are  not  a  problem  when  proving  a  eonfi  dentiality 
property,  sinee  if  a  seeret  is  not  exposed  with  a  liberal  protoeol  speeifi  eation,  it  is  eertainly 
not  exposed  with  a  more  restrietive  one. 

The  a2  rule  generates  a  message  with  a  fi  eld  M  that  may  or  may  not  be  the  seeret  M. 
The  eonditions  on  M'  are  that  M'  is  fresh  and  that  M'  is  not  M  if  the  message  is  being  sent 
to  the  Spy. 

Rule  bg  ineludes  a  eheek  that  message  4  with  nonee  Ni  has  not  been  sent  previously.  It 
also  eheeks  that  the  same  agent  B  has  sent  message  2  with  Ni.  Agent  B  does  not  have  to 
read  the  traee  to  know  whether  these  eonditions  are  satisfi  ed;  they  would  be  implemented 
by  saving  internal  state  information. 

The  protoeol  ffgg  is  the  triple  (T,  S',  I)  where 

T  =  {t\  ffgg(f)} 

S  =  {M}  U  {pk(A)-i|A  7^  Spy  } 

I  =  {pk(Spy)“^}  U{pk(A) \A  eA}UA 


31 


9  Characterizing  Concurrency 


We  know  that  protocol  ffgg  is  not  secure,  since  an  attack  has  been  exhibited.  What  we  can 
prove  is  that  the  protocol  fgfg  =  (T',  S',  I)  is  secure,  where  T'  =  {t|  ffgg(t)  and  t  is  not 
concurrent}. 

By  “concurrency”  we  mean  actual  rather  than  potential  concurrency.  It  is  a  property  of 
a  trace  indicating  that  two  processes  are  interleaved  in  such  a  way  that  neither  one  fi  nishes 
before  the  other  starts.  An  initiator  process  and  a  responder  process  normally  run  concur¬ 
rently.  What  we  are  looking  for  here  is  role  concurrency  in  two  responder  processes  running 
on  behalf  of  the  same  agent. 

We  have  characterized  concurrency,  for  our  purposes,  in  two  ways.  First,  there  is  a 
general  observation,  stated  as  an  axiom,  that  concurrency  is  persistent: 

Axiom  1  (Persistence  of  Concurrency)  If  t  is  a  concurrent  trace,  and  s  is  a  trace,  then  ts 
is  a  concurrent  trace. 

Second,  we  can  identify  role  concurrency  specifi  cally  in  the  ffgg  protocol,  when  it  hap¬ 
pens  with  multiple  session  processes  of  the  same  agent  playing  the  role  of  responder.  Role 
concurrency  has  occurred  for  agent  B  when  the  trace  contains  messages  mi,  m2,  m3, 7714 
in  that  order,  but  not  necessarily  consecutively,  such  that: 

mi  =  .B  — 7  A  :  2,  S,  Wi,  iV2 
m2^B^  A'  2,B,NfN!^ 
m^  =  B^  A-.  A, Ni,X 
mi  =  B^  A'  :  A,N{,Y 

Here,  the  responder  role  is  identifi  ed  by  the  message  numbers  2  and  4  (not  by  the  use  of 
“B”  as  the  agent  variable),  and  the  different  session  processes  are  distinguished  by  different 
nonces,  Ni  vs.  N{ .  The  fi  rst  nonce  in  each  message  identifi  es  fhe  session  process  because 
nonces  are  generafed  freshly  in  each  session,  and  fhe  fi  rsf  nonce  in  message  4  is  fhe  same  as 
fhaf  in  message  2  only  if  fhaf  message  belongs  fo  fhe  same  session  process.  Thus,  mi,  m3 
belong  fo  one  session  process  and  m2,  mi  belong  fo  anofher.  The  agenfs  A  and  A'  do  nol 
have  fo  be  fhe  same;  buf  fhey  are  fhe  same  in  fhe  ffgg  affack. 

Role  concurrency  has  sfill  occurred  if  fhese  messages  appear  in  fhe  order 
m2,  mi,  m3,  mi.  In  eifher  case,  fhe  fwo  session  processes  are  concurrenf  because  fhey 
are  nof  sequenfial:  neifher  one  fi  nishes  before  fhe  ofher  sfarfs. 


32 


10  Proof  Notes 

PVS  is  an  interactive  environment  for  writing  formal  specifications  and  checking  formal 
proofs.  It  supports  a  variety  of  standard  data  types  useful  in  mathematics  and  computer 
science,  and  it  facilitates  the  defi  nition  of  new  abstract  data  types.  The  PVS  proof  checker 
manages  the  proof  construction  process  and  provides  simplifi  cation  and  decision  procedures 
to  carry  out  relatively  large  proof  steps. 

As  encoded  in  the  PVS  language,  message  events  and  their  components  were  abstract 
data  types,  and  traces  were  LISP-like  lists.  Field-set  functions  like  synth  were  defi  ned 
recursively,  excepf  for  analz,  which  was  defi  ned  as  an  inducfive  relation  in  almost  exactly 
the  form  shown  earlier.  The  needed  properties  stated  by  Paulson  were  all  confi  rmed,  along 
with  the  new  results  such  as  analz-closure. 

The  bulk  of  the  protocol-specifi  c  part  of  the  proof  was  for  the  “main  lemma,”  which 
was  the  statement  that  fgfg  is  event-safe.  Proofs  are  recorded  and  can  be  replayed,  causing 
the  proof  checker  to  recheck  the  steps  against  the  current  version  of  the  specifi  cation  fi  les. 
Proof-checking  the  main  lemma  takes  about  75  seconds  of  CPU  time.  This  does  not  include 
the  checks  of  previously  proved  lemmas,  which  were  much  shorter. 

The  proof  was  primarily  a  matter  of  considering,  in  turn,  the  rules  by  which  a  new 
message  could  be  generated,  and  asking  how  that  message  could  possibly  be  in  J[S].  A 
secret  message  content  could  not  be  generated  by  the  Fake  rule,  because  of  the  synth-closure 
lemma  below,  and  Fake  messages  are  synthesized  from  the  prior  trace,  which  was  assumed 
(S',  7)-safe.  Synth-closure,  like  Analz-closure,  is  easy  to  prove. 

Lemma  3  (Synth-closure)  G  C  J[S]  synth (G)  C  J[S] 

The  only  other  rule  that  could  possibly  generate  a  secret  message  content  is  bg.  This 
case  led  to  an  examination  of  the  prior  messages  that  must  have  been  sent,  and  the  messages 
that  must  have  preceded  them.  All  cases  were  eliminated  except  for  one,  which  exhibits  the 
ffgg-specifi  c  condition  for  role  concurrency. 

Most  of  the  PVS  specifi  cations  for  fhe  profocol  and  supporfing  fheories  are  given  in  an 
appendix,  and  so  is  fhe  fi  nal  concurrenf  case.  These  specifi  cations  are  included  in  fhe  reporf 
for  reference  purposes  and  are  intelligible  only  fo  readers  familiar  wifh  fhe  PVS  language. 

11  Conclusions 

We  have  given  an  example  profocol,  fhe  ffgg  profocol,  for  which  role  concurrency  is  neces¬ 
sary  fo  disclose  a  secrecy  compromise.  Allhough  fhe  example  only  exhibifs  a  need  for  Iwo 
concurrenf  processes,  if  is  apparenl  from  fhe  slruclure  of  fhe  messages  lhal  any  degree  of 
concurrency  could  be  forced  by  inserting  more  nonces. 

We  have  nol  addressed  non-secrecy  policies  such  as  aulhenficafion  or  non-repudiation, 
buf  fhe  overall  approach  of  proving  fhe  protocol  correcf  excepf  for  a  concurrenf  case  should 
still  apply. 


33 


Concurrency  was  formalized  in  a  protocol-specifi  c  way.  It  would  be  desirable  to  express 
concurrency  more  generally.  To  do  so,  there  would  have  to  be  a  general  way  of  associating 
message  events  with  the  session  process  that  produced  them.  That  seems  to  require  some 
foresight  in  the  design  of  message  events  when  the  protocol  is  specifi  ed  formally  at  the 
process  level. 


Acknowledgement 


The  motivation  for  this  example  and  improvements  in  its  presentation  arose  from  helpful 
discussions  with  Grit  Denker. 


34 


References 


[1]  G.  Lowe,  “Towards  a  completeness  result  for  model  checking  of  security  pro¬ 
tocols,”  1998  Computer  Security  Foundations  Workshop,  IEEE  Computer  So¬ 
ciety,  1998. 

[2]  W.  Marrero,  E.  Clarke,  and  S.  Jha,  “Model  checking  for  security  protocols,” 
Carnegie  Mellon  University,  CMU-CS-97-139,  1997. 

[3]  J.  C.  Mitchell,  M.  Mitchell,  and  U.  Stem,  “Automated  analysis  of  crypto¬ 
graphic  protocols  using  Murphi,”  IEEE  Symposium  on  Security  and  Privacy, 
IEEE  Computer  Society,  1997,  pp.  141-151. 

[4]  S.  Owre,  J.  Rushby,  N.  Shankar,  and  E.  von  Henke,  “Eormal  verifi  cation  for 
fault-tolerant  architectures:  prolegomena  to  the  design  of  PVS,”  IEEE  Trans. 
Software  Eng.  21(2),  Eeb.  1995,  pp.  107-125. 

[5]  E.  Paulson,  “Proving  properties  of  security  protocols  by  induction,”  10th  IEEE 
Computer  Security  Eoundations  Workshop,  IEEE  Computer  Society,  1997,  pp. 
70-83. 

[6]  A.  W.  Roscoe,  “Modelling  and  verifying  key  exchange  protocols  using  EDR,” 
1995  Computer  Security  Eoundations  Workshop,  IEEE  Computer  Society, 
1995,  pp.  98-107. 

[7]  E.  J.  Thayer,  J.  Herzog,  and  J.  Guttman,  “Honest  ideals  on  strand  spaces,”  1998 
Computer  Security  Eoundations  Workshop,  IEEE  Computer  Society,  1998. 


35 


A  Proof  of  Analz-closure 

Lemma  1  (Analz-closure)  analz( J[S'])  C  J[S']. 

Proof.  The  proof  makes  use  of  a  fi  xpoint  induetion  prineiple  based  on  the  defi  nition  of 
analz.  It  ean  be  shown  that  if: 

1.  i?  C  Tand 

2.  (X,  y)  e  T  ^  X  e  T  and  y  e  T  and 

3.  {X}k  e  T  and  X  eT 

then  analz(i?)  C  T.  In  partieular,  analz(T)  C  T  requires  only  items  2  and  3.  For  T  = 
J[S'],  these  statements  are  just  the  eontrapositives  of  the  elosure  properties  defi  ning  J[S'].  ■ 


B  Proof  of  Secrecy  Theorem 

Theorem  2  (Secrecy)  If  (T,  S',  I)  is  event-safe  then  t  is  (S,  I)-safefor  all  t  ^T. 

Proof  The  proof  is  by  induetion  on  the  length  of  the  traee  t.  The  null  traee  is  (S,  J)-safe 
if  analz(7)  C  J[S].  But  I  C  J[S]  beeause  (T,  S,  I)  is  a  protoeol.  As  Paulson  noted,  analz 
is  monotonie,  so 

analz(I)  c  analz(J[S]). 

An  applieation  of  analz-elosure  eompletes  this  ease. 

Now  assume  that  t  =  sm,  and  we  have  the  induetion  hypothesis  that  s  is  (S,  I) -safe. 
We  must  show  that 

analz(^U  /)  c  J[S]. 

By  analz-elosure,  it  suffi  ees  to  show  that 

sm  U  /  C  J[S]. 

But  sm  =  s  U  {m}.  Event-safety  of  (T,  S,  I)  says  that 

m  G  J[S]. 

Sinee  s  is  (S,  /)-safe,  we  also  have 

sU7  c  analz(su7)  c  J[S].u 


36 


C  PVS  Theories 


This  appendix  containing  PVS  specifications  is  included  in  the  interests  of  making  this 
report  as  useful  as  possible  to  those  who  might  wish  to  use  it  as  a  starting  point  for  their 
own  approaches. 

The  proofs  in  this  report  required  six  new  PVS  theories:  message,  parts,  ffgg,  ideal, 
protocols,  and  results.  Four  of  these  are  not  specifi  c  to  the  ffgg  protocol  and  could  he  used 
for  other  protocol  proofs,  although  some  modifi  cations  and  extensions  might  he  needed  to 
handle  protocols  with  new  computational  operators.  These  four  are:  message,  parts,  ideal, 
and  protocols. 

The  theories  are  listed  here  essentially  as  they  are  in  the  original  fi  les,  except  that  the 
statements  of  a  number  of  trivial  lemmas  (and  a  few  not-so-trivial  ones)  are  omitted  from 
message  and  parts,  because  they  are  not  important  in  themselves. 

A  few  of  the  results  named  in  the  report,  such  as  Analz-closure,  appear  in  the  listing 
with  different  names,  such  as  (in  this  case)  Analzqmblic.  There  is  a  comment  in  the  listing 
in  each  case.  Also,  the  theories  and  results  are  actually  called j^gg2  and  results!.  I  have 
resisted  the  urge  to  clean  up  the  nomenclature  further. 

Given  that  the  reader  is  familiar  with  the  PVS  specifi  cation  language,  fhe  nexf  mosf 
imporfanf  fhing  fo  poinf  ouf  abouf  fhe  protocol  represenfafion  used  here  is  fhaf  a  frace  is  a 
lisf  of  evenfs,  wifh  fhe  lasf  evenf  cons’d  fo  fhe  leff  end  of  fhe  lisf. 


37 


message:  THEORY 


BEGIN 

agent:  DATATYPE 
BEGIN 

Server:  Server? 

Spy:  Spy? 

User  (Id:  nat) :  User? 

END  agent 

pkey:  TYPE+ 
skey:  TYPE+ 

invkey (Kl :  pkey) :  pkey 

keypair{Kl,  K2:pkey)  :  bool  =  (invkey  (Kl)  =  K2) 

pub (A:  agent) :  pkey 
prv{A:  agent) :  pkey 
shr{A:  agent) :  skey 

field:  DATATYPE 
BEGIN 

Agent  (Name:  agent) :  Agent? 

Nonce  (Seq:  nat) :  Nonce? 

Pkey  (Pkval:  pkey) :  Pkey? 

Skey  (Skval:  skey) :  Skey? 

Hash  (Arg:  field) :  Hash? 

Con  (Head:  field,  Tail:  field) :  Con? 

Ped  (Pcv:  pkey,  Ptext:  field) :  Ped? 

Sed  (Scv:  skey,  Stext:  field) :  Sed? 

END  field 

event:  DATATYPE 
BEGIN 

Said  (Src:  agent.  Best:  agent.  Cent:  field) : 
END  event 

trace:  TYPE  =  list [event] 


Said? 


38 


Pkey_inv:  AXIOM 

FORALL  (K:  pkey) :  invkey (invkey (K) )  =  K 
Inv_pub:  AXIOM 

FORALL  (A:  agent) :  invkey (pub (A) )  =  prv (A) 


Unique_pub : 

AXIOM 

EORALL 

(A, 

B: 

agent) : 

pub (A) 

=  pub{B) 

=  > 

A  = 

B 

Unique_prv : 

AXIOM 

FORALL 

(A, 

B: 

agent) : 

prv (A) 

=  prv{B) 

=> 

A  = 

B 

Unique_shr : 

AXIOM 

FORALL 

(A, 

B: 

agent) : 

shr (A) 

=  shr  (B) 

=  > 

A  = 

B 

Pkey_exclusion :  AXIOM 

FORALL  (A,  B:  agent) :  pub (A)  /=  prv{B) 

Agent_keypair :  AXIOM 

FORALL  (A:  agent):  keypair (pub { A) ,  prv{A)) 
%  (some  basic  lemmas  omitted) 

END  message 


parts:  THEORY 
BEGIN 

IMPORTING  message 

X,  Y,  Z,  W:  VAR  field 

H:  VAR  trace 

Kp :  VAR  pkey 

Ks :  VAR  skey 

A,  B:  VAR  agent 

N:  VAR  nat 

E:  VAR  event 

S,  SI:  VAR  set [field] 


39 


depth  (X)  :  nat  =  reduce_nat { 


(lambda 

(a 

agent ) 

:  1) 

t 

0, 

0 

Agent 

(lambda 

(n 

nat)  : 

1)  , 

0, 

0 

Nonce 

(lambda 

(k 

pkey) : 

1)  , 

0, 

0 

Pkey 

(lambda 

(k 

skey) : 

1)  , 

0, 

0 

Skey 

(lambda 

(n 

nat)  : 

n  + 

1)  , 

g, 

0 

Hash 

(lambda 

(n 

nat)  , 

(m: 

nat)  : 

n  +  m  + 

1),  % 

Con 

(lambda 

(k 

pkey) , 

(n: 

nat ) 

:  n  +  1)  , 

0, 

0 

Ped 

(lambda 

(k 

skey) , 

(n: 

nat ) 

:  n  +  1) 

0, 

0 

Sed 

)  (X) 

Pos_depth:  CONJECTURE  depth (X)  >  0 

part?{X,  Y) :  RECURSIVE  bool  = 

IF  X  =  Y  THEN  TRUE 
ELSE  CASES  Y  OF 

Con{Z,  W) :  part? (X,  Z)  OR  part? {X,  W) , 

Red (Kp,  Z)  :  part?  {X,  Z)  , 

Sed (Ks,  Z)  :  part?  {X,  Z) 

ELSE  FALSE 
ENDCASES 
END  IF 

MEASURE  (lambda  {X,  Y) :  depth (Y) ) 

parts  {S){X):  bool  =  EXISTS  Y:  S (Y)  AND  part?  (X,  Y) 

sees{H) (X) :  bool  =  EXISTS  E:  member{E,  H)  AND  Cont{E)  =  X 

parts_tr{H):  set [field]  =  parts (sees (H) ) 

%  (Some  basic  lemmas  omitted) 

analz (S)  (X)  :  inductive  bool  =  S  (X)  or 

(exists  Kp:  analz (S) (Ped(Kp,  X)) 

and  analz  (S)  (Pkey ( invkey (Kp) ) )  )  or 
(exists  Ks :  analz (S) (Sed(Ks,  X)) 
and  analz  (S)  (Skey (Ks)  ) )  or 
(exists  Y:  analz  (S)  (Con  (X,  Y) ) )  or 
(exists  Y:  analz (S) (Con (Y,  X))) 


40 


analz_tr{H):  set[field] 


analz (sees (H) ) 


Analz_induct :  LEMMA 
(FORALL  S,  SI: 

(FORALL  X: 

S  (X) 

OR  (EXISTS  Kp:  Sl{Ped{Kp,  X))  AND  SI (Pkey (invkey (Kp) ) ) ) 
OR  (EXISTS  Ks:  SI(Sed(Ks,  X))  AND  SI (Skey (Ks) ) ) 

OR  (EXISTS  Y:  SI  (Con  (X,  Y)  )  )  OR  (EX¬ 
ISTS  Y:  SI (Con (Y,  X) ) ) 

IMPLIES  SI (X) ) 

IMPLIES  subset? (analz (S)  ,  SI)) 

%  (some  basic  lemmas  omitted) 

synth(S) (X) :  RECURSIVE  bool  = 

IF  S(X)  THEN  TRUE 
ELSE  CASES  X  OF 

Hash (Y)  :  synth  (S)  (Y) , 

Con(Y,  Z) :  synth(S)(Y)  AND  synth(S)(Z), 

Ped(Kp,  Y) :  S(Pkey(Kp))  AND  synth (S)(Y), 

Sed(Ks,  Y)  :  synth  (S)  (Skey  (Ks) )  AND  synth(S)(Y) 

ELSE  FALSE 
ENDCASES 

ENDIF 

MEASURE  depth 

%  (some  basic  lemmas  omitted) 

Fake  (E,  H,  S)  :  bool  = 

EXISTS  A,  X: 

E  =  Said (Spy,  A,  X)  AND 

synth (analz (union  (sees  (H) ,  S)))  (X) 


END  parts 


o, 

o 


ideal:  THEORY 


BEGIN 


41 


IMPORTING  parts 


X,  Y,  Z:  VAR  field 

Kp :  VAR  pkey 

Ks :  VAR  skey 

NA,  NB:  VAR  nat 

A,  B:  VAR  agent 

H:  VAR  trace 

S,  T:  VAR  set [field] 

secret  (S)  (X)  :  RECURSIVE  bool  = 

IF  S{X)  THEN  TRUE 
ELSE  CASES  X  OF 

Con (Y,  Z) :  secret (S) (Y)  OR  secret (S) (Z) , 

Ped{Kp,  Y)  :  secret  (S)  (Y) 

AND  NOT  secret  { S )  (Pkey { invkey (Kp) )) , 

Sed{Ks,  Y)  :  secret  (S)  (Y) 

AND  NOT  secret (S) {Skey{Ks)) 

ELSE  FALSE 
ENDCASES 

ENDIF 

MEASURE  depth 

%  secret (S)  is  the  Thayer-Herzog-Guttman  k-ideal  I_k[S], 

%  where  "k"  consists  of  all  keys  whose  in¬ 
verses  are  not  secret. 

%  (This  is  called  J[S]  in  the  report.) 

%  This  is  the  set  of  messages  from  which  the  spy  could 
%  analyze  an  element  of  S. 

%  (We  could  have  used  keys  not  in  S,  but  some  day  there  will 
%  be  computed  keys,  e.g.,  xor{Ksl,  Ks2).) 

public  (S)  (X)  :  bool  =  NOT  secret  (S)  (X) 

publics  (S)  (T)  :  bool  =  subset? (T,  public (S)) 

basic?  (S):  bool  =  FORALL  X: 

S{X)  =>  (Nonce? (X)  OR  Pkey? (X)  OR  Skey? (X) ) 


42 


Synth_rank:  LEMMA  %  called  ' 'Synth- 

closure' '  in  the  report 

(publics (S) (T)  AND  basic? (S)) 

=>  publics (S)  {synth{T)) 

Public_part:  LEMMA 

public {S){X)  OR  (EXISTS  Y:  S (Y)  AND  part? (Y,  X)  ) 


Public_trace :  LEMMA 

publics (S) (analz (sees (H) ) )  OR 
(EXISTS  X:  S(X)  AND  parts_tr (H) (X) ) 

Public_sub:  LEMMA 

EORALL  (S,  T,  TI :  set [field]): 

(subset?  (Tl,  T)  AND  publics  (S)  (T) )  =>  publics  (S)  (Tl) 

Analz_public :  LEMMA  %  called  ' 'Analz- 

closure' '  in  the  report 

subset? (analz (public (S) ) ,  public (S) ) 

END  ideal 


o, _ 

o 

protocols:  THEORY 
BEGIN 

IMPORTING  message,  parts,  ideal 

E:  VAR  event 
X:  VAR  field 
H,  Hp,  HI:  VAR  trace 
S,  I:  VAR  set [field] 

P:  VAR  set [trace] 

pref ix_closed (P ) :  bool  = 

EORALL  E,  H:  P(cons(E,  H) )  =>  P (H) 

safe(S,  I) (H) :  bool  = 


43 


publics  (S)  (analz  (union (sees (H) ,  I)  )  ) 


protocol (P,  S,  I) :  bool  = 

pref ix_closed (P )  AND  basic? (S) 

AND  safe{S,  I)  (null) 

extends? (H,  Hp) :  RECURSIVE  bool  = 

IF  H  =  Hp  THEN  TRUE 
ELSE  CASES  H  OF 

cons  (E,  HI):  extends?  (HI,  Hp) , 
null :  null? (Hp) 

ENDCASES 
END  IF 

MEASURE  LAMBDA  (H,  Hp)  :  length  (H) 

Extends_trans :  LEMMA 

(extends?  (H,  HI)  AND  extends? (HI,  Hp) )  =>  ex¬ 
tends?  (H,  Hp) 

Extends_sub:  LEMMA 

extends? (H,  Hp)  =>  subset? (sees (Hp) ,  sees (H)  ) 

First_occ:  LEMMA 
parts_tr (H) (X) 

=>  (EXISTS  E,  Hp: 
extends? (H,  cons (E,  Hp) ) 

AND  part?(X,  Cont  (E) ) 

AND  NOT  parts_tr(Hp) (X)) 

Extends_closed :  LEMMA 

(extends? (H,  Hp)  AND  prefix_closed (P)  AND  P (H) ) 

=>  P(Hp) 

Extends_saf e :  LEMMA 

(extends? (H,  Hp)  AND  safe(S,  I)  (H) )  =>  safe(S,  I)  (Hp) 
Mem_event :  LEMMA 

(protocol (P,  S,  I)  AND  P (H)  AND  member (E,  H)  ) 

=>  EXISTS  Hp:  P  (cons  (E,  Hp)  )  AND  ex¬ 
tends?  (H,  cons(E,  Hp) ) 


44 


Mem_event_saf e :  LEMMA 
(protocol  (P,  S,  I) 

AND  safe{S,  I) (H)  AND  P (H) 

AND  member (E,  H) ) 

=>  public (S) {Cont{E)) 

event_saf e (P,  S,  I) :  bool  =  FORALL  E,  H: 
{safe{S,  I)  (H)  AND  P (cons  (E,  H)  ) ) 

=>  public  (S)  {Cont{E)) 

Secrecy:  THEOREM 

(protocol  (P,  S,  I)  AND  event_safe (P,  S,  I)) 
=>  subset? (P,  safe(S,  I)) 

END  protocols 


ffgg:  THEORY 
BEGIN 

IMPORTING  message,  parts 

A,  B,  C:  VAR  agent 
X,  Y,  Z:  VAR  field 
E:  VAR  event 
H:  VAR  trace 
Nl,  N2,  Ma:  VAR  nat 

M:  nat  %  the  secret  message  (nonce) 

initial (X) :  bool  = 

X  =  Pkey (prv (Spy) )  OR 
(EXISTS  A:  X  =  Pkey (pub (A) ) 

OR  X  =  Agent (A) ) 

secrets (X) :  bool  = 

X  =  Nonce (M)  OR 

(EXISTS  A:  A  /=  Spy  AND  X  =  Pkey (prv (A) ) ) 
BigM:  AXIOM  M  >  4 


45 


A  ->  B:  1  A 


al (E,  H) :  bool  = 

EXISTS  (A,  B) : 

A  /=  B  AND 
E  =  Said (A,  B,  Con (Nonce  { 1 ) ,  Agent  (A)  )  ) 


bf  (E,  H)  :  bool  =  %  B  ->  A:  2  B  N1  N2 

EXISTS  (A,  B,  C,  NI,  N2) : 

E  =  Said{B,  A,  Con (Nonce { 2 ) ,  Con (Agent (B) ,  Con (Nonce (NI ) ,  Nonce (N2)))) 
AND  member (Said (C,  B,  Con (Nonce ( I ) ,  Agent (A) ) ) ,  H) 

AND  NOT  parts_tr(H) (Nonce (NI)) 

AND  NOT  parts_tr(H) (Nonce (N2)) 

AND  NI  /=  M  AND  N2  /=  M 


a2 (E,  H) :  bool  =  %  A  - 

>  B:  3  A  {NI  N2  M}PB 

EXISTS  (A,  B,  C,  NI,  N2,  Ma) : 

E  =  Said (A,  B,  Con (Nonce ( 3 ) ,  Con (Agent (A)  ,  Bed (pub (B), 

Con (Nonce (NI) ,  Con (Nonce (N2)  ,  Nonce (Ma)  )))))) 

AND  (B  /=  Spy  OR  Ma  /=  M) 

AND  NOT  parts_tr(H) (Nonce (Ma)) 

AND  member (Said (C,  A,  Con (Nonce (2 ) , 

Con (Agent (B) ,  Con (Nonce (NI) ,  Nonce (N2) ) ) ) ) ,  H) 

bg(E,  H)  :  bool  =  %  B  - 

>  A:  4  NI  N2  {N2  M  NI }PB 

EXISTS  (A,  B,  C,  X,  Y,  NI,  N2 ) : 

E  =  Said(B,  A,  Con (Nonce ( 4 ) ,  Con (Nonce (NI ) , 

Con(X,  Ped(pub(B),  Con (X,  Con (Y,  Nonce (NI ))))))) ) 

AND  member (Said (C,  B,  Con (Nonce (3 ) ,  Con (Agent (A) , 

Ped(pub(B),  Con (Nonce (NI ) ,  Con  (X,  Y) )  ) ) ) ) ,  H) 

AND  member (Said (B,  A,  (Con (Nonce (2) ,  Con (Agent (B)  , 

Con (Nonce (NI ) ,  Nonce (N2 )))))) ,  H)  %  B  checks  A  and  NI 

AND  NOT  EXISTS  Z:  %  B  has  not  sent  this  before 

member (Said (B,  A,  Con (Nonce  ( 4 ) ,  Con (Nonce (NI ) ,  Z) )  ) ,  H) 


ffgg(Q:  trace):  RECURSIVE  bool  = 
CASES  Q  OF 

cons (E,  H)  :  ffgg(H)  AND 

(Fake  (E,  H,  initial) 

OR  al  (E,  H) 


46 


OR  bf  (E,  H) 

OR  a2  (E,  H) 

OR  bg (E,  H) ) , 
null  :  TRUE 

ENDCASES  MEASURE  length 


concurrent?  (H)  :  bool  %  definition  TBS:  no  ff'g  or  f g' g 

Conc_persists :  LAW 

EORALL  E,  H:  concurrent?  (H)  =>  concurrent?  (cons  (E,  H)  ) 
END  ffgg 


results:  THEORY 


BEGIN 


IMPORTING  message,  parts,  ffgg,  ideal,  protocols 

A,  B,  C:  VAR  agent 
X,  Y,  Z:  VAR  field 
E:  VAR  event 
H:  VAR  trace 
N1 ,  N2 :  VAR  nat 

Basic_secrets :  LEMMA 
basic? { (secrets) ) 


Secret_secrets :  LEMMA 

initial (X)  =>  public { secrets )  (X) 


Initial_public :  LEMMA 

subset? (analz (initial) ,  public  (secrets) ) 


ffgg_prefix:  LEMMA 

pref ix_closed ( (ffgg) ) 


fgfg(H):  bool  =  ffgg(H)  AND  NOT  concurrent? (H) 


47 


f gf g_protocol :  LEMMA 

protocol {{ fgfg) ,  (secrets),  (initial)) 


Mem_pub :  LEMMA 

(member (E,  H)  AND  ffgg(H)  and  safe ( (secrets) ,  (initial) )  (H)  ) 
=>  (public  (  (secrets) )  (Cont  (E) )  OR  concurrent? (H)  ) 


Main_lemma:  LEMMA 

event_safe ( (fgf g) ,  (secrets),  (initial)) 


END  results 


48 


D  The  Concurrent  Case 

Below  is  the  last  remaining  ease  in  the  proof  that  the  fgfg  example  protoeol  is  seeure.  This 
is  a  PVS  sequent,  with  a  eonjunetion  of  hypotheses  above  the  line  and  a  disjunetion  of 
eonelusions  below  the  line.  At  this  point  in  the  proof,  one  hypothesis  is  hidden,  namely, 
that  X  is  seeret.  Note,  however,  that  X  is  exposed  in  the  message  named  e,  whieh  is  the  last 
message  in  the  traee  cons  (e,  evs)  . 

The  hypotheses  in  this  ease  indieate  that  eertain  messages  have  oeeurred  and  give  eon- 
straints  on  their  order  whieh  imply  eoneurreney,  in  the  sense  that  two  sessions  are  not  seri¬ 
alizable. 

The  names  of  messages,  variables,  and  initial  segments  (tails)  of  the  traee  were  not  well 
ehosen,  so  a  few  remarks  are  offered  here  to  help  explain  the  logie.  For  brevity,  we  write 
cons  (a,  b)  as  a  .b  . 

By  [-1],  e  .  evs  is  a  legal  traee  of  ffgg.  The  seereey  theorem  would  say  that  e  .  evs  is 
’’safe,”  meaning  that  no  transmitted  message  is  seeret. 

Let  e3  =  the  message  in  [-6]. 

The  messages  e,  el,  e2  and  e3  are  messages  sent  by  B  from  two  sessions  eorre- 
sponding  to  the  nonees  Z1  and  N1  !  2.  Eaeh  message  eontains  a  number  (2  or  4)  identifying 
its  sequenee  within  the  protoeol.  The  next  nonee  is  unique  to  the  session  and  is  eonsistent 
between  messages  2  and  4.  (The  protoeol  eheeks  it.) 

By  [-1]  e  follows  (in  time)  any  message  in  evs,  whieh  ineludes  all  the  other  messages. 
e2  .  Hpl  and  el .  Hp2  are  right-prefi  xes  of  evs  by  [-7]  and  [-8].  Note  that  time  goes  from 
right  to  left  in  these  traees. 

e2  follows  any  message  in  Hpl,  and  it  must  preeede  el  sinee  Z1  does  not  oeeur  in 
Hpl  by  [1]. 

Then  e3  is  in  Hp2  and  henee  preeedes  el.  Thus,  {e2,  e3}  preeedes  el  preeedes  e. 
e  2  and  e  3  are  both  type  2,  e  and  e  1  are  type  4.  This  implies  eoneurreney  sinee  it  means 
neither  the  Z1  session  nor  the  N1 !  2  session  ean  eomplete  before  the  other  one  begins. 


Main_lemma .5. 3. 1.3. 2. 1.3. 1.5. 2. 2. 2.1  : 

[-1]  ffgg{cons{e,  evs)) 

[-2]  e  =  Said{B,  A,  Con (Nonce { 4 ) ,  Con (Nonce (Zl) , 

Con(X,  Ped(pub(B),  Con (X,  Y)  )  )  )  )  ) 

[-3]  Said(B,  A,  (Con (Nonce  (2 ) ,  Con (Agent (B) ,  Con (Nonce  ( Zl ) , 
Nonce  (N1 ))))))  =  e2 

[-4]  el 

Said(B,  A!2, 

Con (Nonce  ( 4 ) , 


49 


[-5] 


[-6] 

[-7] 

[-8] 

[-9] 

[-10] 

[-11] 


[1] 

[2] 

[3] 


Con  (Nonce (Nl ! 2 )  ,  Con (Nonce (Zl) ,  Ped(pub(B), 
Con (Nonce (Zl)  ,  Y! 1)  )  )  )  )  ) 
member ( Said (C ! 2 ,  B, 

Con (Nonce ( 3 ) , 

Con (Agent (A ! 2 ) , 

Bed (pub  (B) , 

Con (Nonce (Nl ! 2 ) ,  Con (Nonce  ( Zl ) , 

Hp2) 

member ( Said (B,  A!2,  (Con (Nonce (2 ) ,  Con (Agent (B) , 

Con (Nonce (Nl ! 2 ) ,  Nonce (N2 ! 2 )))))) ,  Hp2) 
extends? (evs,  cons (el,  Hp2)) 
extends? (evs,  cons(e2,  Hpl)) 
protocol (( fgfg) ,  (secrets),  (initial)) 
saf e  (( secrets ) ,  (initial) )  (evs ) 
f f gg  (evs ) 


parts_tr (Hpl ) (Nonce (Zl)) 

B  =  Spy 

concurrent? (cons  (e,  evs)) 


Y!l) ) ) ) ) ) , 


50 


Protocol-Independent  Secrecy* 

Presented  at  2000  IEEE  Symposium  on  Security  and  Privacy 


Jon  Millen  and  Harald  RueB 
SRI  International 
Menlo  Park,  CA  94025,  USA 
{millen, ruess}@csl.sri. com 


Abstract 

Inductive  proofs  of  secrecy  invariants  for  cryptographic  protocols  can  be  facilitated 
by  separating  the  protocol-dependent  part  from  the  protocol-independent  part.  Our 
Secrecy  theorem  encapsulates  the  use  of  induction  so  that  the  discharge  of  protocol- 
specific  proof  obligations  is  reduced  to  first-order  reasoning.  Secrecy  proofs  for 
Otway-Rees  and  the  corrected  Needham-Schroeder  protocol  are  given. 


1  Introduction 

Cryptographic  protocols  are  used  to  achieve  goals  like  authentication  and  key  distribution. 
In  the  analysis  of  these  protocols,  however,  it  is  important  to  establish  not  only  that  these 
goals  are  actually  met,  i.e.  that  ‘something  good  is  going  to  happen’,  but  also  to  prove  that 
no  secrets  are  being  revealed,  i.e.  it  is  never  the  case  that  ‘something  bad  is  happening’.  In 
this  paper  we  concentrate  on  proving  secrecy  invariants  of  cryptographic  protocols,  since 
these  kinds  of  proofs  have  often  been  found  to  be  the  hardest  task  in  analyzing  a  protocol. 
More  precisely,  secrecy  has  been  shown  to  be  undecidable  even  under  very  weak  assump¬ 
tions  on  the  protocol  [2]. 

Our  starting  point  is  the  inductive  approach  developed  by  Paulson  [7].  In  this  model, 
a  protocol  is  a  rule  for  adding  message  events  to  a  trace  of  prior  events.  A  trace  may 
involve  many  interleaved  protocol  runs.  For  purposes  of  analysis  it  is  assumed  that  protocol 
messages  sent  over  a  network  are  also  accessible  to  a  hostile  “spy”  who  is  able  to  read, 
alter,  and  forge  messages.  Paulson  uses  a  theorem  prover  to  partially  automate  proofs  by 
developing  specialized  strategies. 

*  This  work  was  funded  by  DARPA  through  the  Air  Force  Research  Laboratory  Contract  F30602-98-C-0258 
and  by  DARPA  through  Rome  Lab  contract  F30602-96-C-029L 


51 


The  main  contribution  of  this  paper  is  a  theorem  that  reduces  secrecy  proofs  for  proto¬ 
cols  to  fi  rst-order  reasoning;  in  particular,  discharging  these  proof  obligations  does  not  re¬ 
quire  any  inductions.  The  trick  is  to  confi  ne  the  inductions  to  general,  protocol-independent 
lemmas,  so  that  the  protocol-specifi  c  part  of  the  proof  is  minimized. 

In  order  to  formulate  our  results,  we  borrow  the  notion  of  ideals  on  strand  spaces  [9], 
and  we  show  how  this  concept  is  useful  in  a  trace  model  context  for  stating  and  proving 
secrecy  invariants.  We  show  how  the  complement  of  an  ideal,  which  we  call  a  coideal, 
serves  as  a  catalyst  to  apply  Paulson’s  calculus-like  set  operators.  Our  protocol  model  is 
also  unusual  in  that  message  events  are  interspersed  with  “spell”  events  that  generate  the 
short-term  secrets  in  a  session  and  specify  which  principals  are  supposed  to  share  them. 

We  originally  intended  this  investigation  to  support  our  work  in  applying  a  theorem 
prover  to  inductive  protocol  proofs.  However,  we  discovered  that  these  techniques  are  so 
effective  that  we  could  perform  some  proofs  by  hand  using  them.  Manual  proofs  have  been 
done  before,  such  as  the  strand-space  proofs  in  [9]  and  Schneider’s  CSP  proofs  [8],  but  not 
for  Paulson’s  trace  model,  and  not  for  a  diffi  cult  protocol  like  Lowe’s  corrected  version  of 
the  Needham-Schroeder  public  key  protocol  [4].  Examples  of  secrecy  proofs  are  included 
here  for  that  protocol  and  for  the  Otway-Rees  [6]  protocol. 


2  The  Modeling  Approach 

Our  modeling  approach  closely  follows  Paulson’s  [7],  although  the  details  of  the  notation 
are  different.  A  protocol  is  a  rule  for  adding  messages  and  other  events  to  a  history  or 
trace  of  past  events,  represented  as  a  sequence.  Encrypted  message  fi  elds  are  represented 
symbolically  by  terms  indicating  the  key  and  plaintext  fi  eld. 

2.1  Fields 

The  modeling  fask  begins  by  defi  ning  fhe  primitive  dafa  fypes  fhaf  may  occur  as  message 
fi  elds:  agenfs  A,  keys  /C,  and  nonces  N.  (In  anofher  confexf  we  mighf  use  “principal” 
insfead  of  “agenf.”)  These  sefs  are  assumed  fo  be  disjoinf,  and  fhey  are  all  subfypes  (subsefs) 
of  fhe  fi  eld  fype  T.  As  a  nofafional  convention,  variables  A,  B  and  varianfs  always  sfand 
for  agenfs;  K  and  varianfs  always  sfand  for  keys;  and  N  and  varianfs  are  always  nonces. 
X,  y,  and  Z  are  arbifrary  fi  elds. 

Each  agenf  A  has  some  long-ferm  keys:  a  public  key  pub(A),  a  corresponding  privafe 
key  prv(A),  and  a  symmefric  key  shr(A).  The  sef  of  long-ferm  keys  is  denofed  Kl-  We 
assume  fhaf  shorf-ferm  keys  are  symmefric  keys,  and  fhey  are  in  fhe  sef  /C^. 


52 


The  basic  fi  elds  are  those  in  the  set  A/"  U  /C.  These  are  the  kinds  of  primitive  fi  elds  that 
may  be  designated  as  seeret  aeeording  to  the  poliey  that  the  protoeol  is  supposed  to  uphold. 
Agents  and  eompound  fi  elds  are  never  designated  as  seeret  by  poliey,  though  some  eom- 
pound  fi  elds  may  have  fo  be  profeefed  fo  mainfain  fhe  seereey  of  some  of  fheir  eomponenfs. 

Compound  fi  elds  are  eonsfruefed  by  eoneafenafion  or  enerypfion.  The  eoneafenafion  of 
X  and  Y  is  fhe  ferm  Y .  We  will  add  braekefs,  as  [Jf,  Y],  when  neeessary  fo  separafe  a 
eoneafenafion  from  ifs  eonfexf  fo  avoid  eonfusion.  The  eoneafenafion  operafor  is  binary  buf 
assoeiafive,  so  fhaf  if  may  be  viewed  as  n-ary,  and  a  ferm  like  [Jf,  y,  Z]  is  unambiguous. 

The  enerypfion  of  X  using  fhe  key  K  is  {X}k,  regardless  of  fhe  fype  of  key.  Eaeh  key 
K  has  an  inverse  K  ^  sueh  fhaf 


{{X}k}k-^  =  X  (1) 

{{X}k-^}k  =  X  (2) 

in  fhe  sense  fhaf  fhese  terms  are  regarded  as  equivalent.  For  any  agent  A, 

pub(A)“^  =  prv(A),  (3) 

prv(A)“^  =  pub(A),  (4) 

shr(A)“^  =  shr(A).  (5) 


There  are  two  speeial  agents:  Srv,  a  trusted  server  assumed  to  hold  the  symmetrie  (and 
thus,  shared)  key  shr(A)  of  any  agent  A;  and  the  intruder  Spy. 

Given  sets  A,  /C,  and  Af,  and  the  operators  whose  signatures  and  relations  have  just 
been  given  for  them,  there  is  an  initial  algebra  generated  by  them  [5];  this  algebra  is  the 
cryptospace  of  fi  elds.  If  is  an  idealized  abslraefion  of  fhe  frue  sef  of  message  fi  elds  in  several 
ways.  For  example,  fhere  may  be  an  infi  nife  number  of  nonees  and  keys,  and  repealed 
enerypfion  wilh  fhe  same  key  generates  an  infi  nife  number  of  values. 

2.2  Events 

There  are  fwo  kinds  of  evenfs:  messages  and  spells.  Messages  are  essenfially  Paulson’s 
Says  evenfs,  and  spells  may  be  fhoughf  of  as  a  variafion  on  fhe  Notes  event,  but  with  a 
different  purpose. 

A  message  is  an  event  A  ^  B  :  X,  where  (as  implied  by  our  notational  eonventions) 
A  and  B  are  agents,  and  is  a  fi  eld.  The  content  X  oi  n  message  event  M  is  denoted  by 
M.  The  sender  A  and  the  reeeiver  B  will  always  be  the  true  sender  and  intended  reeeiver, 
as  in  Paulson’s  model. 

A  spell  generates  eertain  session-speeifi  e  primitive  fi  elds  and  designates  them  as  seeret. 
A  spell  is  an  event  S  %  L,  where  S'  is  a  set  of  short-term  basie  fi  elds  ealled  the  book,  and  L, 


53 


the  so-called  cabal,  is  a  set  of  agents  who  are  permitted  to  share  the  secrets  in  S.  The  book 
and  the  cabal  of  a  spell  event  C  are  denoted  by  Ca  and  Ca,  respectively. 

As  a  notational  convention,  we  use  E  (and  variants)  to  denote  events,  while  M  is  a 
message  and  (7  is  a  spell. 

A  trace  is  a  fi  nite  sequence  of  events.  Notationally,  variants  of  H  are  traces.  We  indicate 
trace  concatenation  or  postfi  xing  an  event  to  a  trace  with  juxtaposition,  e.g.,  HE,  and  E  € 
H  means  that  E  occurs  in  the  sequence  H,  so  that  H  =  H'EH".  The  empty  trace  is  e. 

We  extend  the  notion  of  a  content  to  traces  in  the  natural  way.  Spells  do  not  contribute 
to  the  content. 

H  =  {M.\M  e  H}. 


2.3  Inductive  Relations 

The  fundamental  operations  on  sets  S  of  message  fi  elds,  as  introduced  by  Paulson,  are 
parts(5),  analz(S'),  and  synth(S'). 

Briefly,  parts(5)  is  fhe  sef  of  all  subfields  of  fields  in  fhe  sef  S,  including  componenfs 
of  concafenafions  and  fhe  plainfexf  of  encrypfions  (buf  nol  fhe  keys).  Note  fhaf  if  G 
parts({y})  fhen  is  a  subterm  of  Y,  in  fhe  sense  of  [9],  wriffen  X  QY.  The  subterm 
relation  is  a  partial  order. 

analz(S')  is  fhe  subsef  of  parts(S')  consisting  of  only  fhose  subfields  fhaf  are  accessible 
fo  an  allacker.  These  include  componenfs  of  concalenalions,  and  fhe  plainfexf  of  fhose  en¬ 
cryptions  where  fhe  inverse  key  is  in  analz(S').  Thus,  analz(S')  is  defi  ned  fo  be  fhe  smallesl 
sef  such  fhaf 

1.  5  C  analz(5) 

2.  if  [X,  Y]  E  analz(S')  fhen  X  E  analz(5)  and  Y  E  analz(S') 

3.  if  {X}k  E  analz(S')  and  E  analz(S')  fhen  X  E  analz(S'). 

Finally,  synth(5)  is  fhe  sef  of  fi  elds  conslruclible  from  S  by  concalenalion  and  encryp- 
lion  using  fi  elds  and  keys  in  S. 

The  following  properlies  are  slated,  for  similarly  defi  ned  sels,  in  [7].  They  are  all  proved 
by  slraighlforward  inductions. 

Proposition  1  The  set  transformers  parts(S'),  analz(S'),  and  synth(S')  are  closure  opera¬ 
tors  —  that  is,  they  are  extensive  (SC  parts(<S')),  monotonic,  and  idempotent.  Furthermore: 

parts(analz(S'))  =  parts(S')  (6) 


54 


analz(parts(S)) 

=  parts(S) 

(V) 

parts(synth(S)) 

=  parts(S)  U  synth(S) 

(8) 

analz(synth(S)) 

=  analz(S)  U  synth(S) 

(9) 

The  intruder  in  our  model  synthesizes  faked  messages  from  analyzable  parts  of  a  set  of 
available  fi  elds.  This  motivates  the  deti  nition  of  fake  (S'). 

Definition!  fake(S)  =  synth(analz(S)) 

Lemma  1  (Fake-Parts) 

parts(fake(S))  =  parts(S)  Ufake(S) 

Proof.  Using  the  equalities  in  Proposition  1. 

parts(fake(S))  =  parts(analz(S))  Ufake(S)  =  parts(S)  Ufake(S).B 


3  Ideals  and  Coideals 

If  the  spy  ever  obtains  some  seeret  fi  eld  X,  it  ean  transmit  X  as  the  eontent  of  a  message. 
Thus,  our  seereey  poliey  is  that  li  B  :  X  oeeurs  in  some  traee,  then  X  ^  S,  where  S 
is  a  set  of  basie  seerets. 

The  invariant  that  we  will  aetually  prove  is  that  X  ^  T(S),  where  X(S)  is  the  ideal 
generated  by  S:  the  smallest  set  of  fields  fhaf  ineludes  S  and  whieh  is  elosed  under  eon- 
eafenafion  wifh  any  fi  elds  and  under  enerypfion  wifh  keys  whose  inverses  are  nol  in  5.  T{S) 
is  fhe  A:-ideal  If,  [S']  from  [9]  where  k  is  fhe  sef  of  keys  whose  inverses  are  nol  in  S. 

Wifh  our  ehoiee  of  k,  fhe  ideal  is  defi  ned  as  follows: 

Definition  2  (Ideal)  I{S)  is  the  smallest  set  such  that 

1.  SCI{S) 

2.  if  X  ^  I{S)  orY  ^  I{S)  then  [X,  Y]  e  X{S) 

3.  ifX  e  I{S)  and  ^  S  then  {X}k  €  X(S) 

Under  the  assumption  that  any  term  not  in  the  ideal  may  be  already  eompromised,  it 
is  neeessary  to  proteet  this  whole  ideal,  beeause  eompromising  any  element  of  the  ideal 


55 


effectively  compromises  some  element  of  S.  It  turns  out  that  protecting  this  ideal  is  also 
suffi  cient. 


The  complement  of  I{S),  which  we  call  a  coideal,  is  denoted  by  C{S).  The  coideal 
C(S)  defi  nes  the  set  of  fi  elds  that  are  public  with  respect  to  the  basic  secrets  S,  i.e.,  fi  elds 
whose  release  would  not  compromise  any  secrets  in  S. 

The  property  that  makes  the  notion  of  “coideal”  worth  defi  ning  is  that  coideals  are 
closed  under  attacker  analysis,  thereby  implying  that  protection  of  the  ideal  is  suffi  cienf. 

Lemma  2  (Analz  Closure)  For  a  set  S  of  fields: 

analz(C(5))  =  C{S) 

Proof.  The  righf-lo-lefl  inclusion  follows  from  exfensivify  of  analz(.)  (Proposition  1).  We 
apply  fhe  smallesf-sef  defi  nifion  of  analz(.)  fo  show 

analz(C(5))  C  C{S). 

We  have  fo  show  fhaf  C(S)  is  closed  under  fhe  fwo  rules  fhaf  expand  analz(.). 

Firsf,  suppose  [X,  Y]  E  C{S).  Thai  is,  [X,  Y]  f  I{S).  Hence  neilher  X  nor  Y  is  in  I{S) 
by  defi  nifion  of  fhe  ideal,  so  bofh  are  in  C(S'). 

Second,  suppose  {X^k  E  C{S)  and  K  ^  E  S.  {X^k  ^  '^{S)  implies  fhaf  eifher 
X  f  I{S)  or  K~^  E  T(5').  The  firsf  subcase  is  Irivially  finished  and  fhe  latter  subcase 
confradicfs  fhe  assumption  E  S.m 

An  analogous  resulf  does  nol  hold  for  synfhesis  in  general,  buf  depends  on  fhe  primi- 
fiveness  of  fhe  elemenfs  generafing  fhe  coideal. 

Lemma  3  (Synth  Closure)  For  a  set  S  of  basic  fields: 

synth(C(5))  =  C{S) 

Proof  The  lefl-fo-righl  inclusion  is  exfensivify  (Proposition  1).  So  if  remains  fo  show 

synth(C(5))  C  C{S). 

We  musl  show  fhaf  C{S)  is  closed  under  fhe  fwo  rules  fhaf  expand  synth(.). 

Firsf,  lei  X  E  C{S)  and  Y  E  C(S).  We  musl  show  fhaf  [X,  Y]  E  C{S).  Olherwise, 
[X,  Y]  E  I{S),  eifher  because  [X,  Y]  E  S  or  because  X  orY  E  I{S).  The  former  cannol 
be  Irue  because  S  is  primitive  and  fhe  latter  would  conlradicl  fhe  hypolhesis  for  Ibis  case. 


56 


Second,  let  X  E  C(S)  and  K  E  C(S).  We  must  show  that  {X}k  E  C{S).  Otherwise, 
{^}k  G  either  because  {X}k  E  S,  not  possible  for  primitive  S';  or  partly  because 
X  E  I{S),  which  contradicts  the  hypothesis  for  this  case.  ■ 

Lemmas  2,  3  are  typically  used  to  reduce  proof  obligations  like  analz(T)  C  C{S)  to 
T  C  C(S);  similarly  for  synth(.). 

4  Protocols  and  Secrecy 

A  protocol  speciti  es  which  messages  or  spells  can  be  appended  to  an  event  trace.  A  secret 
in  a  spell  book  must  be  unused  in  the  prior  trace,  in  the  sense  that  it  is  not  a  part  of  any 
message  content  and  it  has  not  occurred  as  a  secret  in  a  prior  spell. 

Definition  3  (Unused) 

If  H  is  a  trace,  X  is  unused  in  H  if  X  is  basic,  X  f  parts(^),  and  X  ^  Ca  far  any 
C  E  H.  The  set  of  unused  fields  in  H  is  denoted  by  unused(i?). 

Definition  4  (Protocol) 

A  protocol  is  a  binary  relation  between  traces  and  events,  such  that  if  {H,  C)  E  P  then 
Ca  C  unused(iL). 

A  plenum  is  a  set  of  traces  that  could  be  generated  by  a  protocol  in  an  environment  with 
intruder  activity,  given  some  set  of  fi  elds  I  assumed  initially  held  by  the  intruder. 

Definition  5  (Plenum) 

If  P  is  a  protocol  then  the  plenum  Ui{P)  is  the  set  of  traces  defined  inductively  by: 

1.  eEUi{P) 

2.  IfHE  Ui{P)  and  {H,  E)  E  P  then  HE  E  Ui{P) 

3.  If  H  E  Ui{P)  and  E  is  a  message  from  Spy  with  ^  E  synth(analz(^U  /))  then 
HE  E  Ui{P) 

A  message  is  called  honest  (forUj{P))  if  it  has  been  introduced  to  a  trace  by  means  of  rule 
(2)  above,  while  messages  introduced  by  (3)  are  fake. 

Because  protocol  spell  books  introduce  unused  secrets,  it  is  easy  to  show  that  the  spell 
books  of  different  spells  are  disjoint. 


57 


Lemma  4  (Disjoint  Book)  IfC,C'^H^  either  C  —  C  or  Cl  C'^  —  0. 


The  basic  secrets  associated  with  a  spell  include  not  only  the  elements  of  the  spell  book 
but  also  the  long-term  secrets  of  the  agents  in  the  cabal. 

Definition  6  (Basic  Secrets)  Let  C  be  a  spell; 

Sc  =  u  {prv(^)|^  e  Ca]  u  {shr(^)|^  G  C^] 

A  spell  is  compatible  with  an  initial  knowledge  set  that  does  not  compromise  its  asso¬ 
ciated  basic  secrets,  or  mention  the  short-term  secrets  in  its  book. 

Definition  7  (Compatible  Spell)  A  spell  C  is  I-compatible  if 

Lie  C{Sc)  and 
2.  Sc  n  parts(7)  =  0. 

A  trace  is  occult  for  an  initial  I  if  it  protects  the  basic  secrets  of  any  spell  compatible 
with  I. 

Definition  8  (Occult  Trace) 

A  trace  H  is  I-occult  if,  for  all  I-compatible  spell  events  C  ^  H, 

ana\z{HUl)  C  C(Sc) 

A  protocol  is  secure  with  respect  to  its  secrecy  policy  and  the  spy’s  initial  knowledge 
if  every  trace  in  the  plenum  it  generates  is  occult.  The  secrecy  proof  for  a  protocol  has  a 
protocol-independent  part  and  a  protocol-dependent  part.  The  protocol-dependent  part  is 
expressed  by  the  event-occult  property  deli  ned  below.  It  says  that  if  the  prior  trace  is  occult, 
the  next  message  event  generated  by  the  protocol  does  not  compromise  a  secret.  This  has 
to  be  proved  individually  for  each  protocol. 

Definition  9  (Event-Occult) 

A  protocol  P  is  event-occult  if  for  all  H,  I,  and  C  satisfying  the  conditions: 

1.  C  ^  H  ^  lAi{P)  such  that  H  is  I-occult, 

2.  {H,  M)  e  P,  and 

3.  C  is  I-compatible 


58 


it  is  the  case  that  M  C  C(Sc)- 

The  protocol-independent  part  of  a  secrecy  proof  is  the  Secrecy  theorem.  It  only  has  to 
be  proved  once. 

Theorem  1  (Secrecy) 

If  P  is  event-occult  then  every  trace  in  Ui{P)  is  I -occult. 

Proof.  By  induction  on  the  trace  H.  \f  H  =  e  then  there  is  nothing  to  prove,  since  H 
contains  no  spell. 

Consider  a  trace  HE  G  Ui{P).  We  have  H  G  Ui{P)  and  {H,E)  €  P.  The  induction 
hypothesis  is  that  H  is  7-occult.  For  the  induction  step,  we  must  show  that  HE  is  7-occult. 

Choose  a  spell  C  E  H  such  that  7  C  C(Sc)  and  H  parts(7)  =  0.  We  must  show  that 
analz(77£^U7)  C  C(Sc). 

The  event  E  might  be  either  a  message  or  a  spell.  Suppose  first  that  E  is  a  message.  It 
might  be  either  honest  or  fake.  In  either  case  ^  €  C(Sc)-  For,  if  E  is  honest,  this  is  true 
because  P  is  event-occult.  If  E  is  fake,  ^  E  fake(,ff  U  I).  By  the  induction  hypothesis, 
monotonicity  of  synth,  and  the  Synth-Closure  lemma,  we  have 

fake(,ff  U  7)  =  synth(analz(,ff  U  I))  C  synth(C(Sc))  =  C(Sc)- 

Now  we  observe  that: 

HE  UI  =  {E}UHUI 
E  E  C(Sc)  as  just  shown 
7  C  C(Sc’)  by  choice  of  C 
^Canalz(^U7)  C  C(Sc) 

Hence  HE  U  7  C  C(Sc) 

By  monotonicity  of  analz()  (Proposition  1)  and  Analz-Closure  (Lemma  2)  we 
are  done  with  this  case. 

Now,  let  E'  be  a  spell.  We  have 

analz(^  U  7)  =  analz(^  U  7)  C  C(Sc) 


In  the  following  sections  we  give  examples  of  proofs  of  the  event-occult  property  for 
two  protocols,  from  which  we  may  conclude,  by  the  Secrecy  theorem,  that  their  traces  are 


59 


occult.  These  are  strictly  secrecy  results,  and  show  only  that  the  secrets  generated  in  a 
particular  run  of  the  protocol  are  not  compromised.  Most  authors  of  protocol  proofs  have 
noted  that  the  security  objectives  of  a  protocol  may  be  undermined  in  other  ways  than 
by  compromising  secrets,  usually  due  to  some  failure  of  authentication.  We  discuss  this 
concern  in  the  Conclusion. 

5  Example:  The  Otway-Rees  Protocol 

The  Otway-Rees  protocol  is  a  good  one  to  begin  with  because  the  proof  is  short.  Also  this 
protocol  was  used  as  an  example  in  [9],  so  that  one  can  make  a  comparison  between  the 
effort  required  here  with  the  effort  required  to  do  the  secrecy  part  of  the  strand-space  proof 
in  that  paper  (which  was  also  fairly  short). 

The  goal  of  the  Otway-Rees  protocol  is  to  mutually  authenticate  an  initiator  and  respon¬ 
der  and  to  distribute  a  session  key  generated  by  the  server.  One  session  consists  of  the  four 
messages  in  Figure  1.  We  prove  that  none  of  the  secrets  Na,  Ni^,  or  K  are  disclosed. 


ori 

=  A^B: 

^5  -S,  {Na^N ,  A,  -B}shr(A) 

or2 

=  B- 

Srv 

:  iV,  A,  B,  {iVa,  iV,  A,  {Nh,  N,  A, 

ors 

=  Srv 

^  B 

ori 

=  B- 

A  : 

iV,{iVa,A:}5hr(A) 

Figure  1 :  The  Otway-Rees  Protocol 

The  informal  mles  in  Figure  1  are  easily,  albeit  somewhat  tediously,  encoded  in  the 
trace  model,  in  roughly  the  way  Paulson  would  do  it,  except  for  the  spell  event.  The  spell  is 
specifi  ed  by  9),  which  generates  the  two  nonces  Wa,  iVft,  and  the  session  key  K.  Note  that 
the  server  need  not  be  mentioned  in  the  cabal. 

The  relations  ori,  or2,  ora  (in  Defi  nition  11)  on  message  events  M  and  traces  H  cor¬ 
respond  to  the  messages  in  the  informal  description  of  the  protocol.  Relation  ori{H,  M) 
holds  when  rule  ovi  is  used  to  generate  message  M.  A  message  is  not  sent  unless  there 
is  a  suitable  prior  history  of  messages  sent  and  received  by  the  sending  agent.  Rules  that 
introduce  nonces  take  them  from  a  prior  spell  with  the  expected  cabal.  When  an  agent  uses 
a  secret  from  a  spell  book,  the  agent  does  not  see  any  of  the  other  secrets  in  the  same  spell 
book,  though  it  might  know  about  them  from  prior  messages. 

In  general,  a  trace  generated  by  these  rules  interleaves  the  behavior  of  as  many  agents 
as  we  wish,  and  any  number  of  concurrent  or  sequential  sessions  of  the  same  agents.  Also, 


60 


once  a  message  is  enabled,  it  can  be  added  to  the  trace  any  number  of  times.  This  is 
unrealistic,  but  it  is  a  possible  consequence  of  attacker  behavior,  and  it  does  not  affect 
secrecy  conclusions. 


Definition  10  (Otway-Rees)  OR  is  the  union  of  the  relations 


9o{H,C) 


ori{H,M) 


or2{H,M) 


orsiH^M) 


or4{H,M) 


{3Na,Nh,K,A,B) 

Na^Nh^K  E  unused(iJ) 

A  C  =  {Na,N,,K}t{A,B} 

(BA,B,N,Na,C) 

N„ECACa  =  {A,B} 

A  M  =  A^B:  fV,Ai?,{iVa,iV,A-B}shr(^) 

(BA,A',B,X,N,Nh,C) 

NbECACa  =  {A,B} 

A  A'  ^  B:  N,A,B,X  eH 

A  M  =  B^Srv:  N,A,B,X,{N,,N,A,B}^^^^^J;^^ 
{BA,B,B',N,N^,Nb,K,C) 

K  eC  ACa^{A,B} 

A  B'^Srv:  N,A,B,{N,,N,A,B}^^^^^^y{N,,N,A,B}^^^^^^^EH 
A  M  =  Srv i?  : 

{BA,A',BN,Y,N^,Nb,K) 

B^Sry:  N,A,B,X,{N,,N,A,B}^^^^^^^  E  H 

A  Srv  — )■  S  : 

A  M^B^A:  N,Y 


OR  is  a  protocol  in  the  sense  of  Deli  nition  4,  since  go  only  puts  previously  unused  fi  elds 
into  the  book.  From  the  Secrecy  Theorem  1  and  the  following  lemma  it  follows  that  OR  is 
secure. 


Theorem  2  The  OR  protocol  is  event-occult. 

Proof.  Let  P  be  OR  and  choose  I.  Let  (iT,  M)  E  P,  where  H  E  Ui{P)  such  that  H  is 
/-occult.  Let  C  E  H  such  that  /  C  C(Sc)  and  Ca  H  parts(/)  =  0.  We  have  to  show 

M  CC(Sc). 


61 


There  are  four  message  rules. 

First,  eonsider  the  ease  (iT,  M)  G  ori,  then: 

M  =  A^B-. 

C  =  {Na,Ni>,K]X{A,B]  eH 

Notiee  that  N  ^  Sc,  beeause  N  is  unused,  and  A^B  ^  Sc  beeause  they  are  agents.  Now 
eonsider  the  enerypted  term. 

Case  A  e  Ca-  Then  shr(^)  e  Sc',  so  ^  ^  C(Sc)- 

Case  A  ^  Ca-  Then  C'  ^  C,  so  Na  ^  Sc-  Henee,  M  ^  C(Sc)- 

Seeond,  in  ease  (iT,  M)  E  or2, 

M  =  i?^Srv:  iV,Ai?,^,{iV6,iV,Ai?}shr(i?) 

Ml  =  A' ^  B  :  N,A,B,X  E  H 

where  Nf,  E  C'„  and  C'^  —  {A,B}.  Sinee  Mi  E  H  and  H  is  7-oeeult,  analz(MU/)  C 
C(Sc)-  But  the  unenerypted  terms  N,A,B,X  E  analz(Mi)  C  analz(MU/)  so 
N,  A^B^X  E  C(Sc)-  The  enerypted  term  is  also  in  the  eoideal,  using  the  same  arguments 
as  for  ori . 

Third,  in  ease  (iJ,  M)  E  or^, 

M  =  Srv^.B: 

M2  =  i?'^Srv:  iV,A-B,{iVa,iV,A-B}shr(7l)’{^«'’^’A-B}shr(i?) 

and  there  exists  a  spell  C'  E  H  sueh  that  K  E  C'^  and  C'^  =  {A^B}. 

We  know  N  E  C(Sc)  beeause  it  eame  from  M2.  The  first  enerypted  term  of  M  is  in  the 
eoideal  if  ^4  G  Cq.  Otherwise,  assume  A  ^  Ca-  We  know  C  ^  C  and  we  must  eonsider 
the  eomponents  Na,K.  K  ^  C^,  so  K  E  C(Sc)-  As  for  Na,  it  eomes  from  a  term  in  M2 
enerypted  with  shr(A),  so  Na  E  C(Sc)  beeause  ff  is  I-oeeult. 

The  same  argument  ean  be  used  for  the  seeond  enerypted  term  and  N/^. 

The  fourth  ease  (ff,  M)  E  or 4  is  trivial  beeause  the  message  fi  elds  have  been  eopied  from 
a  reeeived  message  in  B,  whieh  is  7-oeeult.  ■ 


6  Example:  The  Needham-Schroeder  Public-Key  Protocol 


62 


The  Needham-Schroeder  public-key  protocol  is  a  more  challenging  example,  which  to 
our  knowledge  has  not  been  verifi  ed  by  hand  before.  The  original  protocol  was  found  to 
be  flawed  by  Lowe,  who  suggested  a  change  in  one  message  that  made  it  secure,  as  far  as 
he  could  tell  from  a  model-checking  analysis  [4].  We  demonstrate  the  applicability  of  the 
secrecy  theorem  (Theorem  1  )  by  proving  that  Lowe’s  corrected  version  of  the  protocol, 
which  we  refer  to  as  NSL,  is  secure. 

oi  =  ^  .B  :  {Ala, 

62  =  B  ^  A-.  {Na,  iVh, 

03  =  B  :  {-^6}pub(S) 

Figure  2:  The  Needham-Schroeder-Lowe  Protocol 

The  informal  description  of  the  NSL  protocol  is  in  Figure  2.  Here  is  the  trace  relation 
version. 

Definition  11  (NSL  Protocol) 

The  protocol  NSL  is  defined  as  the  union  of  the  binary  relations  qq,  oi,  62.  onr/  03. 
go{H,C)  =  {3A,B,Na,Nb) 

G  unused(iT) 

A  C  =  {Na,Nt.}t{A,B} 
ai{H,M)  =  {3A,B,C,N^) 

C  e  H  A  Na  e  Ca  A  Ca  ^  {A,B} 

A  M  =  A^  B  :  {iVa,  ^}pub(S) 
b2{H,M)  =  {3A,B,A',C,Na,Nt.) 

C  eH  A  NbECaA  Ca  =  {A,B} 

A  A'  ^  B  :  {Na,  ^}pub(.B)  ^  ^ 

A  M  ^B  ^  A:  {Na,  N^,  -B}p^jb(^) 
a3{H,M)  =  {3A,B,B',Na,Nb) 

A^  B  :  {Na,  ^}pub(H)  ^  ^ 

A  B'  ^  A:  {Na,  Nb,  -B}pub(2l)  ^  ^ 

A  M  =  A^  B  :  {Nb}p^J^^(^^^ 

It  is  immediate  from  the  defi  nition  of  NSL  that  secrets  in  spells  are  unused  in  the  prior 
trace,  thus  NSL  is  a  protocol  in  the  sense  of  Defi  nition  4. 


63 


Theorem  3  (NSL  Protection) 

The  NSL  protocol  is  event-occult. 

Proof.  Let  P  be  the  NSL  protoeol  and  ehoose  I.  Let  (iJ,  M)  €  P,  where  H  E  Ui{P)  sueh 
that  H  is  7-oeeult.  Let  C  E  H  sueh  that  I  C  C{Sc)  and  n  parts(7)  =  0.  Sinee  77  is 
7-oeeult,  analz(^U  7)  C  C(Sc)-  We  have  to  show  that  M  C  C(Sc)- 

There  are  three  message  rules. 

Case  1.  ai(77,  M). 

M  =  A'  ^  B  :  {Na,  ^}pub(S) 

and  C'  E  H  sueh  that  Na  E  C'^  and  =  {A,  B}.  \f  B  E  Ca  then  shr(7?)  E  Sc  and  the 
enerypted  term  is  in  the  eoideal.  Otherwise,  assume  B  Ca-  Then  C  C  and  Na  f  C^- 
This  faet,  together  with  A  ^  I{Sc)  yields  M_  ^  i7(Sc)- 

Case  2.  b2{H,M). 

M  =  B  ^  A:  {Na,  Nb,  -®}pub(y4) 

and  there  must  exist 

Mi=A'^B:  {iV„,  €  H 

and  C'  E  H  such  that  iVj,  E  C'^  and  C'a  —  {A,  B}. 

\i  A  E  Ca  then  M  ^  T(Sc)  and  we  are  done.  Suppose  A  ^  Ca-  Then  we  must  show  that 
Na,Nii,  and  B  E  C(Sc)-  Nb  is  handled  like  Na  in  the  fi rst  message  and  B  is  an  agent.  It  is 
also  trivial  for  iVa  if  .B  ^  Ca  because  Na  is  then  exposed  in  Mi  and  77  is  7-occult. 

We  must  show  that  Na  ^  Sc  if  we  assume  that  B  E  Ca-  Find  the  earliest  occurrence  of 
the  subterm  Mi  =  {Na,  ^}pub(.B)‘  •^here  is  a  message  M'  whose  content  has 

Ml  as  a  subterm,  and  Mi  is  not  a  part  of  the  prior  trace  H'.  Also,  Mi  f  parts(7)  unless 
Na  E  parts(7),  in  which  case  Na  ^  Sc  by  choice  of  C. 

M'  might  be  either  faked  or  honest.  If  M'  is  faked.  Mi  E  partslfake(77'  U  7))  = 
parts(77^  U  7)  U  fake(77^  U  7)  so  that  we  must  have  Mi  E  fake (77^  U  I).  Since  Mi  ^ 
parts (77^  U  7)  it  must  have  been  synthesized,  meaning  [iVa,  A\  E  fake (77^  U  7)  C  C(Sc), 
so  Na  i  Se¬ 
lf  M'  is  honest,  inspection  of  the  rules  and  the  message  component  types  shows  that  Mf  = 
Ml  and  ai{H' ,  M')  holds.  But  the  analysis  of  rule  ai  has  already  been  covered  in  the  fi  rst 
case. 

Case  3.  a^{H,  M).  If  the  receiving  agent  7?  of  M  is  in  the  cabal,  then  the  content  is  not  in 
the  ideal.  Thus,  assume  that  B  is  not  in  the  cabal.  From  the  defi  nition  of  03, 

Ml  =  A^B:  {N„  .4}p„t(B)  £  H 


64 


M2  =  ei? 

M  =  B:  {-/V6}p^jb(_B) 

and  one  has  to  show  A^j,  ^  Se¬ 
lf  M2  is  honest,  then  there  exists  a  prefi  x  H'  of  H  sueh  that  62(-ff^  M2)  and  there  exists  C 
with  iVh  e  C'^  and  =  {A,  B}.  But  B  ^  Ca,  so  C  ^  C  and  ^  Sc- 

Note  that  this  step  fails  if  the  sender  of  M2  does  not  oeeur  in  the  eneryption  fi  eld,  sinee  then 
we  eould  not  say  (in  the  rule)  that  B  ^  C^.  This  is  the  differenee  between  NSL  and  the 
original  protoeol. 

If  M2  is  faked,  fi  nd  the  earliest  message  M  eontaining  M2  as  a  part,  where  the  prior  traee 
is  H'.  By  ehoiee  of  M',  M2  ^  parts(^).  Also,  M2  ^  parts(7),  otherwise  iYj  G  parts(J), 
and  we  have  assumed  parts(7)  fl  Sc  =  0>  so  iV^  ^  Sc  and  we  would  be  done.  So  M2  ^ 
partsfTf^  U  7). 

If  M'  is  faked,  we  have 

M2  G  parts(fake(i7'  U  7))  =  partsfTf'  U  7)  U  fakelTf'  U  7) 


so 

M2  G  fake (77^  U  7)  =  svnthfanalz(J7^  U  7)). 

Sinee  M2  ^  parts(^  U  7)  it  must  be  that  M2  has  been  synthesized,  so 

Na,  iVh,  ,8  Gfake(^U7). 

But  fake(^  U  7)  C  C{H!_  U  7)  sinee  H  is  7-oeeult,  implying  that  Nf,  ^  Se¬ 
lf  M'  is  honest,  inspeetion  of  the  protoeol  rules  shows  that  M'  =  M2  and  62  (-ff,  M2),  and 
this  ease  was  eovered  previously.  ■ 


7  Conclusions 

Our  seereey  theorem  separates  protoeol-dependent  and  protoeol-independent  aspeets  of  se- 
ereey  proofs.  The  protoeol-dependent  part  is  to  show  the  “event-oeeult”  property,  whieh 
only  asks  whether  honest  messages  eompromise  seerets,  given  strong  assumptions  about 
the  preservation  of  seereey  in  the  prior  message  history. 

The  seerets  to  be  proteeted  are  defi  ned  in  an  explieit,  uniform  way  by  introdueing 
“spell”  events  into  the  protoeol.  Spell  events  generate  the  short-term  seerets  for  a  partieular 
“eabal,”  the  set  of  agents  sharing  the  new  seerets.  Seerets  are  shown  to  be  proteeted  even 


65 


when  the  long-term  seerets  of  other  agents,  or  the  short-term  seerets  in  other  protocol  runs 
(with  other  spells)  are  compromised. 

The  security  of  a  protocol  can  be  subverted  even  when  the  secrets  it  generates  are  pro¬ 
tected.  To  take  a  simple  example,  consider  the  single-message  key-distribution  protocol: 

A^B  : 

We  can  show  that  the  session  key  K  is  kept  secret.  However,  B  would  be  foolish  to  believe 
that  K  came  from  A  and  use  it  to  encrypt  information  to  be  shared  only  with  A. 

There  are  two  ways  to  avoid  this  kind  of  problem.  One  is  to  conduct  a  separate  au¬ 
thentication  proof,  and  attempt  to  establish  that  the  key  received  by  B  was  actually  sent 
by  A,  and  is  fresh.  If  both  the  secrecy  proof  and  the  authentication  proof  succeed  (and  the 
second  will  fail  in  this  example),  the  protocol  would  be  shown  secure.  While  most  authors 
who  have  developed  analysis  techniques  for  secrecy  have  extended  those  techniques  to  per¬ 
form  authentication  proofs  as  well,  we  should  consider  that  there  are  some  very  appealing 
authentication  logic  techniques  designed  for  this  purpose  [1,3].  Their  only  drawback  is 
that  they  cannot  show  secrecy  properties.  It  would  be  ideal  to  use  them  in  a  context  where 
secrecy  has  already  been  shown. 

If  the  ultimate  objective  is  really  to  show  secrecy,  not  for  the  session  key  per  se,  but  for 
some  text  encrypted  with  it,  then  there  is  another  way  to  focus  on  the  correct  goal:  include 
the  use  of  the  key  in  the  protocol.  To  do  this,  add  one  or  more  statements  to  the  protocol 
specifi  cation.  In  the  example  above,  we  could  add  the  message: 

B^A:  {N}k 

where  JV  is  a  new  secret.  The  augmented  protocol  is  not  event-occult. 

The  closure  results  on  the  coideal  have  turned  out  to  be  a  useful  addition  to  the  arsenal 
of  proof  techniques,  enabling  interesting  examples  to  be  shown  secure.  Protocol  proofs  are 
still  complex  enough  so  that  we  feel  proof-checking  and  automation  to  be  valuable  for  the 
sake  of  assurance,  and  we  believe  that  the  same  techniques  that  simplify  manual  proofs  will 
also  be  helpful  in  organizing  machine-assisted  proofs. 


References 

[1]  M.  Burrows,  M.  Abadi,  and  R.  Needham.  A  logic  of  authentication.  ACM  Transactions 
on  Computer  Systems,  8(1):  18-36,  1990. 

[2]  N.  Durgin,  P.  Lincoln,  J.  Mitchell,  and  A.  Scedrov.  Undecidability  of  bounded  security 
protocols.  In  Formal  Methods  and  Security  Protocols,  Federated  Logic  Conference, 
1999. 


66 


[3]  L.  Gong,  R.  Needham,  and  R.  Yahalom.  Reasoning  about  belief  in  eryptographie  pro- 
toeols.  In  IEEE  Symposium  on  Research  in  Security  and  Privacy,  pages  234-248.  IEEE 
Computer  Soeiety,  1990. 

[4]  G.  Eowe.  Breaking  and  fi  xing  the  Needham-Sehroeder  publie-key  protoeol  using  EDR. 
In  Proceedings  ofTACAS,  volume  1055  of  Lecture  Notes  in  Computer  Science,  pages 
147-166.  Springer- Verlag,  1996. 

[5]  J.  Meseguer  and  J.  Goguen.  Initiality,  induetion,  and  eomputability.  In  M.  Nivat  and 
J.  Reynolds,  editors.  Algebraic  Methods  in  Semantics,  pages  459-541.  Cambridge  Uni¬ 
versity  Press,  1982. 

[6]  D.  Otway  and  O.  Rees.  Effi  eient  and  timely  mutual  authentieation.  ACM  Operating 

System  Review,  1987. 

[7]  E.  Paulson.  The  induetive  approaeh  to  verifying  eryptographie  protoeols.  Journal  of 
Computer  Security,  6(1):85-128,  1998. 

[8]  S.  Sehneider.  Verifying  authentieation  protoeols  in  CSP.  IEEE  Transactions  on  Soft¬ 
ware  Engineering,  24(9):741-758,  September  1998. 

[9]  J.  Thayer,  J.  Herzog,  and  J.  Guttman.  Honest  ideals  on  strand  spaees.  In  Ilth 
IEEE  Computer  Security  Eoundations  Workshop,  pages  66-78.  IEEE  Computer  So¬ 
eiety,  1998. 


67 


Local  Secrecy  for  State-Based  Models* 

Presented  at  FMCS’2000 


Jon  Millen  and  Harald  RueB 
SRI  International 
Menlo  Park,  CA  94025,  USA 
{millen, ruess}@csl.sri. com 


Abstract 

Proofs  of  secrecy  invariants  for  cryptographic  protocols  can  be  facilitated  by  sep¬ 
arating  the  protocol-dependent  part  from  the  protocol-independent  part.  Our  Secrecy 
theorem  encapsulates  the  use  of  induction  so  that  the  discharge  of  protocol-specific 
proof  obligations  is  reduced  to  first-order  reasoning.  The  theorem  has  been  proved 
and  applied  in  the  PVS  environment  with  supporting  protocol  representation  theo¬ 
ries  based  on  a  state-transition  model.  This  technique  has  been  successfully  applies 
to  both  standard  benchmark  examples  and  to  parts  of  the  verification  of  the  Enclave 
group  management  system. 


1  Introduction 

Cryptographic  protocols  are  used  to  achieve  goals  like  authentication  and  key  distribution 
in  a  hostile  internet  environment.  Formal  methods  can  be  used  to  verify  the  adequacy  of  the 
design  of  such  protocols.  Security  goals  are  often  formalized  as  invariants.  In  this  paper  we 
concentrate  on  proving  secrecy  invariants,  which  are  important  both  for  their  own  sake  and 
to  support  authentication  goals. 

The  main  emphasis  of  this  paper  lies  in  the  description  of  our  PVS  [5]  formalization  of 
the  secrecy  theorem  published  in  [3].  This  theorem  reduces  secrecy  proofs  for  protocols  to 
fi  rst-order  reasoning;  in  particular,  discharging  these  proof  obligations  does  not  require  any 
inductions.  The  trick  is  to  confi  ne  the  inductions  to  general,  protocol-independent  lemmas, 
so  that  the  protocol-specifi  c  part  of  the  proof  is  minimized.  Moreover,  secrecy  protocols 

*This  work  was  funded  by  DARPA  through  AFRL  contract  F30602-98-C-0258  and  by  DARPA  through 
Rome  Lab  contract  F30602-96-C-0291. 


68 


are  modularized  in  the  sense  that  there  are  separate  verifi  eation  eonditions  for  eaeh  protoeol 
rule. 

The  seereey  theorem  in  [3]  was  based  on  Paulson’s  traee  model.  Here  we  reformulate 
this  theorem  to  also  work  on  a  state-based  model  whieh  is  more  eompatible  with  the  one 
propagated  by  Mitehell  et  al.  in  [1].  We  illustrate  the  eneoding  of  speeifi  e  protoeols  in  this 
model  using  the  Otway-Rees  protoeol  [4].  We  do  not,  however,  go  into  details  of  proofs, 
sinee  they  are  mostly  straightforward  adaptations  of  the  ones  stated  in  [3]. 

In  order  to  formulate  our  results,  we  borrow  the  notion  of  ideals  on  strand  spaees  [6], 
and  we  show  how  this  eoneept  is  useful  in  a  state  model  eontext  for  stating  and  proving 
seereey  invariants.  We  show  how  the  eomplement  of  an  ideal,  whieh  we  eall  a  coideal, 
serves  as  a  eatalyst  to  apply  Paulson’s  ealeulus-like  set  operators.  Our  protoeol  model  is 
also  unusual  in  that  message  events  are  interspersed  with  “spell”  events  that  generate  the 
short-term  seerets  in  a  session  and  speeify  whieh  prineipals  are  supposed  to  share  them. 

Besides  proving  seereey  results  of  standard  benehmark  protoeols  like  the  Otway-Rees 
and  the  Needham-Sehroeder  (publie  key)  protoeols,  our  methods  have  been  applied  sue- 
eessfully^  in  the  proeess  of  verifying  the  group  management  serviees  of  Enelaves  [2]. 


2  The  Modeling  Approach 

Our  modeling  approaeh  is  fairly  elose  to  the  MSR  idea  in  [1],  although  the  details  of  the 
notation  are  different.  A  protoeol  is  a  rule  for  plaeing  messages  and  updating  loeal  states 
in  a  global  set  of  eurrent  events.  Enerypted  message  fi  elds  are  represented  symbolieally  by 
terms  indieating  the  key  and  plaintext  fi  eld. 

2.1  Fields 

The  modeling  task  begins  by  defi  ning  the  primitive  data  types  that  may  oeeur  as  message 
fi  elds:  agents,  keys,  and  nonees.  (In  another  eontext  we  might  use  “prineipal”  instead  of 
“agent.”)  These  sets  are  assumed  to  be  disjoint,  and  they  are  all  subtypes  (subsets)  of  the 
fi  eld  type  T.  They  are  modeled  as  abstraet  datatypes  in  PVS. 

An  agent  is  either  an  ‘ordinary’  user,  a  dedieated  server  Srv,  or  the  supposedly  mali- 
eious  Spy.  Eaeh  agent  A  has  some  long-term  keys:  a  publie  key  Pub  (A)  ,  a  eorresponding 
private  key  Prv  (A) ,  and  a  symmetrie  key  Shr  (A)  . 

Message  fi  elds  are  divided  into  primitive  and  eompound  fi  elds.  The  primitive  fi  elds  eon- 
taining  agents,  nonees,  and  keys  are  eonstrueted  as  Agent  (A) ,  Nonce  (N) ,  and  Key  (K)  . 

'Private  communication:  B.  Dutertre,  SRI  International. 


69 


(The  PVS  conversion  mechanism  is  used  to  suppress  these  injections  in  the  sequel.)  Com¬ 
pound  fi  elds  are  constructed  by  concatenation  or  encryption.  The  concatenation  of  X  and 
Y  is  the  term  X  ++  Y.  or  encryption  Encr  (K,  X)  .  The  encryption  of  X  using  the  key  K 
is  Encr  (K,  X)  ,  regardless  of  the  type  of  key.  The  possible  message  fi  elds  are  elements  of 
the  datatype  field. 

Agents  and  compound  fi  elds  are  never  designated  as  secret  by  policy,  though  some  com¬ 
pound  fi  elds  may  have  fo  be  profecfed  fo  mainfain  fhe  secrecy  of  some  of  fheir  componenfs. 
Thus,  we  defi  ne  basic  fi  elds  as  nonces  and  keys,  which  are  fhe  kinds  of  primitive  fi  elds 
fhaf  may  be  designafed  as  secref  according  fo  policy.  The  PVS  defi  nifion  of  fhe  member¬ 
ship  predicafe  basic?  is  shown  below.  PVS  fragmenfs  are  displayed  in  fhis  paper  wifhin 
boxes. 


basic?:  set[field]  =  union (Nonce?,  Key?) 


As  a  nofafional  convenfion,  variables  A,  B  and  varianfs  always  sfand  for  agenfs;  K  and 
varianfs  always  sfand  for  keys;  and  N  and  varianfs  are  always  nonces.  X,  Y  and  Z  are 
arbifrary  fi  elds. 

Each  key  K  has  an  inverse. 


inv (K) :  key  = 

CASES  K  OF 

Pub (A):  Prv(A),  Prv (A) :  Pub (A) ,  Shr (A) :  Shr (A) ,  Ssk (A) :  Ssk (A) 
ENDCASES 


Thus,  bofh  Shr  (A)  and  Ssk  (A)  are  symmefric.  The  special  agenf  Server  is  as¬ 
sumed  fo  hold  fhe  symmefric  (and  fhus,  shared)  key  Shr  (A)  of  any  agenf  A. 


2.2  Events 

There  are  fhree  kinds  of  evenfs:  messages,  spells,  and  slate  evenls. 


event :  DATATYPE 

BEGIN 

Msg(Cont:  field) : 

Msg? 

Cast  (Secrets :  set 

[ (basic?)  ]  , 

Cabal : 

set  [agent] )  :  Spell? 

State (Role:  nat, 

Label:  nat, 

Memory ; 

:  field) :  State? 

END  event 

Messages  are  essentially  Paulson’s  Says  evenls,  and  fhe  conlenl  of  a  message  evenl  is 
a  fi  eld.  We  do  nol  need  fo  refer  fo  fhe  sender  and  receiver  of  a  message.  A  spell  generafes 


70 


certain  session-specifi  c  primitive  fi  elds  and  designates  them  as  secret.  A  spell  is  an  event 
Cast  (S,  C) ,  where  S  is  a  set  of  short-term  basic  fields  called  the  book,  and  C,  the  so- 
called  cabal,  is  a  set  of  agents  who  are  permitted  to  share  the  secrets  in  S. 

As  a  notational  convention,  we  use  E  (and  variants)  to  denote  events,  while  M  is  a 
message  and  C  is  a  spell. 

A  global  state  is  simply  a  collection  of  events.  Notationally,  variants  of  H  are  global 
states.  We  shall  see  later  that  states  reachable  by  a  protocol  contain  messages  in  transit  and 
local  states  of  agents  participating  in  the  protocol. 


global:  TYPE  =  set [event] 


We  extend  the  notion  of  a  content  to  global  states  in  the  natural  way.  Spells  and  state 
events  do  not  contribute  to  the  content.  Similarly,  the  secrets  of  a  state  are  obtained  as  the 
basic  fi  elds  of  fhe  secrefs  of  ifs  casf  evenfs. 


sees (H) (X):  boolean  =  EXISTS  (M:  (Msg?)):  member (M,H)  &  Cont (M)  =  X 

secrets (H) (X) :  boolean  =  EXISTS  (C:  (Spell?) ) : 

member (C,H)  &  basic? (X)  &  member (X, Secrets (C) ) 


2.3  Inductive  Relations 

The  fundamenlal  operations  on  sefs  S  of  message  fields,  as  infroduced  by  Paulson,  are 
Parts (S) ,Analz  (S) ,  and  Synth  (S ) . 

Briefly,  Parts  (S)  is  fhe  sef  of  all  subfields  of  fields  in  fhe  sef  S,  including  compo- 
nenfs  of  concatenations  and  fhe  plainfexf  of  encrypfions  (buf  nol  fhe  keys).  Note  fhaf  if 
member  {X,  Parts  {{y})  ) ,  fhen  X  is  a  subterm  of  Y,  in  fhe  sense  of  [6],  wriffen  X  <= 
Y.  The  subferm  relafion  is  a  parfial  order. 

Analz  (S)  is  fhe  subsef  of  Parts  (S)  consisting  of  only  fhose  subfields  fhaf  are  ac¬ 
cessible  fo  an  allacker.  These  include  componenls  of  concatenations,  and  fhe  plainfexf  of 
fhose  encryptions  where  fhe  inverse  key  is  in  Anal  z  { S )  . 


Analz  (S)  (X)  :  INDUCTIVE  bool  = 

S  (X) 

OR  (EXISTS  Y:  Analz (S) (X  ++  Y) ) 

OR  (EXISTS  Y:  Analz (S) (Y  ++  X)) 

OR  (EXISTS  K:  Analz (S) (Encr (K,  X))  AND  Anal z ( S ) ( inv (K) ) ) 


The  infruder  in  our  model  synlhesizes  faked  messages  from  analyzable  parls  of  a  sef  of 
available  fi  elds.  This  molivales  fhe  defi  nilion  of  f  ake  { S )  . 


71 


Fake(S):  set [field]  =  Synth (Analz (S) ) 

Fake_Parts :  LEMMA  Parts (Fake  (S) )  =  union (Parts (S) ,  Fake(S)) 


3  Ideals  and  Coideals 

If  the  spy  ever  obtains  some  seeret  fi  eld  X,  it  ean  transmit  X  as  the  eontent  of  a  message. 
Thus,  our  secrecy  policy  is  that  if  the  message  with  content  X  occurs  in  some  trace,  then 
NOT  member  {X,  S ) ,  where  S  is  a  set  of  basic  secrets. 

The  invariant  that  we  will  actually  prove  is  that  NOT  member  {X,  Ideal  (S)  ) , 
where  Ideal  (S)  is  the  ideal  generated  by  S:  the  smallest  set  of  fields  that  includes  S 
and  which  is  closed  under  concatenation  with  any  fi  elds  and  under  encryption  wifh  keys 
whose  inverses  are  nol  in  S.  ideal  (S  is  fhe  A:-ideal  from  [6]  where  k  is  fhe  sef  of 
keys  whose  inverses  are  nol  in  S . 

Wifh  our  choice  of  k,  fhe  ideal  is  defi  ned  as  follows: 


Ideal  (S)  (X)  : 

:  INDUCTIVE  boolean  = 

S(X) 

OR  (EXISTS 

Y,  Z : 

X  =  Y  ++  Z  &  (Ideal  (S)  (Y) 

OR 

Ideal  (S)  (Z) ) ) 

OR  (EXISTS 

Y,  K: 

X  =  Encr(K,  Y)  &  Ideal (S) 

(Y) 

&  NOT  S (inv (K) ) ) 

Under  fhe  assumption  fhal  any  term  nol  in  fhe  ideal  may  be  already  compromised,  if 
is  necessary  lo  prolecl  Ibis  whole  ideal,  because  compromising  any  elemenl  of  fhe  ideal 
effeclively  compromises  some  elemenl  of  S.  Il  lurns  oul  lhal  protecting  Ibis  ideal  is  also 
sufli  cienl. 

The  complemenl  of  and  ideal,  which  we  call  a  coideal,  is  denoted  by  Co  ideal  (S)  . 
This  deli  nes  Ihe  sel  of  fi  elds  lhal  are  public  wilh  respecl  lo  Ihe  basic  secrels  S,  i.e.,  fi  elds 
whose  release  would  nol  compromise  any  secrels  in  S. 

The  properly  lhal  makes  Ihe  notion  of  “coideal”  worlh  deli  ning  is  lhal  coideals  are 
closed  under  allacker  analysis,  Ihereby  implying  lhal  protection  of  Ihe  ideal  is  sufli  cienl. 


Analz_Closure :  LEMMA  Analz (Coideal (S) )  =  Coideal  (S) 

Synth_Closure :  LEMMA  subset? (S,  (basic?))  => 

Synth (Coideal (S) )  =  Coideal (S) 


72 


4  Protocols  and  Secrecy 


A  protocol  specifi  es  which  messages  or  spells  can  be  added  to  a  global  state.  A  secret  in  a 
spell  book  must  be  unused  in  the  prior  state,  in  the  sense  that  it  is  not  a  part  of  any  message 
content  and  it  has  not  occurred  as  a  secret  in  a  prior  spell. 


unused (H:  global) (X:  field) :  boolean  = 

basic?  (X)  &  NOT (Parts (sees (H) )  (X) )  &  NOT (secrets (H)  (X) ) 


A  protocol  rule  is  a  triple  consisting  of  a  pre-  and  a  post  set  of  events  and  a  set  of  nonces. 
Intuitively,  such  a  rule  is  applicable  in  some  global  state  H  if  the  pre  events  are  a  subset  of 
H  and  if  the  nonces  in  the  rule  are  unused  in  H.  A  rule  fi  res  by  deleting  the  pre  events  from 
the  state  and  adding  the  post  events. 


rule:  TYPE  = 

[#  Pre:  set [event].  Nonces:  set [ (basic?) ] ,  Post:  set [event]  #] 


There  are  several  local  conditions  on  protocol  rules.  First,  there  is  at  most  one  spell  in 
the  post,  and  a  cast  and  a  message  event  may  not  occur  simultaneously  in  the  post.  Second, 
all  secrets  of  casts  in  the  post  must  be  subset  of  the  rule  nonces.  Third,  regularity  states  that 
whenever  a  longterm  key  K  is  neither  in  the  parts  of  the  content  or  the  memory  of  the  pre 
then  it  is  also  not  in  the  parts  of  the  content  or  the  memory  of  the  post. 


single_spell (post :  set [event]):  boolean  = 

FORALL  (C,  Cl:  (Cast?),  E:  (Event?)): 

(member (C,  post)  &  member (Cl,  post)  =>  C  =  Cl) 

&  (member (C,  post)  &  member (E,  post)  =>  NOT  Msg?(E)) 

fresh (Ns:  set [ (basic? )] ,  post:  set [event]):  boolean  = 

FORALL  (C:  (Cast?)):  member (C, post )  =>  subset? (Secrets (C)  ,  Ns) 

regular  (pre,  taul)  :  boolean  = 

FORALL (K:  longterm) : 

(NOT (Parts (sees (pre) ) (K) )  &  NOT (Parts (memory (pre) ) (K) ) ) 

=>  (NOT (Parts (sees (post) ) (K) )  &  NOT (Parts (memory (post) ) (K) ) ) 


It  is  usually  straightforward  to  check  that  rules  of  a  specifi  c  protocol  obey  these  condi¬ 
tions.  Usually,  we  (mis)use  the  PVS  prover  to  automatically  check  these  static  conditions. 

Rules  that  satisfi  es  the  conditions  above  are  collected  in  the  type  protocol. 


73 


protrule(rl:  rule) :  boolean  = 
single_spell (Post (rl) ) 

&  fresh (Nonces (rl) , Post (rl) ) 

&  regular (Pre (rl) , Post  (rl) ) 

protocol:  TYPE  =  set [  (protrule) ] 


A  protocol  P  and  a  given  set  of  initial  knowledge  I  (of  the  spy),  a  global  1-extension 
is  a  binary  relation  of  states.  This  relation  determines  a  transition  system.  An  extension  is 
either  honest,  i.e.  it  corresponds  to  a  move  by  a  player  following  the  rules,  or  it  is  faked 
by  the  spy.  As  usually,  the  spy  is  reduced  to  add  only  messages  with  a  content  that  can  be 
inferred  from  the  content  of  the  current  state  and  the  initial  knowledge. 


honest  (P:  protocol)  (H,  HI)  :  boolean  = 

EXISTS (rl:  (P) ) :  subset? (Nonces (rl) ,  unused(H)) 

&  subset?  (Pre  (rl) ,  H) 

&  HI  =  union (Post (rl) ,  difference (H,  Prestates ( rl )) ) 

fake  (I:  set [ field] )  (H,  HI):  boolean  = 

EXISTS  (X:  (Fake (union  (sees  (H) ,  I)))):  HI  =  add(Msg(X),  H) 

global_extension (P :  protocol,  I:  set [field]) (H,  HI) :  boolean  = 
honest  (P)  (H,  HI)  OR  fake  (I)  (H,  HI) 


We  need  some  further  concepts  before  stating  our  secrecy  theorem.  The  basic  secrets 
associated  with  a  spell  include  not  only  the  elements  of  the  spell  book  but  also  the  long-term 
secrets  of  the  agents  in  the  cabal. 


ltk(C:  (Cast?) ) (X:  field) :  boolean  = 

Key?  (X) 

&  longterm (Val (X) ) 

&  EXISTS  (A:  agent):  Q  (A)  (Val (X) )  &  Cabal (C)  (A) 

basic_secrets (C) (X:  field) :  boolean  = 

basic?  (X)  AND  (Secrets (C)  (X)  OR  ltk(C)(X)) 


A  spell  is  compatible  with  an  initial  knowledge  set  that  does  not  compromise  its  asso¬ 
ciated  basic  secrets,  or  mention  the  short-term  secrets  in  its  book. 


compatible ( I :  set [ field] ) (C :  (Cast?)):  boolean  = 

disjoint? (basic_secrets  (C) ,  Parts  (I) ) 


The  set  of  reachable  states  H  is  defi  ned  in  the  usual  way  using  a  least  fi  xed-point  defi  ni- 
tion. 


74 


reachable  (P,  I)  (H)  :  INDUCTIVE  boolean  = 

empty? (H)  OR  (EXISTS  (G:  global)  :  reachable  (P,  I)  (G) 
&  global_extension (P ,  I) (G,  H) ) 


A  protocol  is  secure  with  respect  to  its  secrecy  policy  and  the  spy’s  initial  knowledge 
I  if  every  reachable  state  it  generates  is  secret-secure.  This  property,  for  traces,  was  called 
“discreet”  in  [3]. 


secret_secure ( I :  set [field]) (H:  global):  boolean  = 
FORALL  C:  compatible (I) (C)  &  H(C) 

=>  subset? (sees (H) ,  Coideal (basic_secrets (C) ) ) 


The  secrecy  proof  for  a  protocol  has  a  protocol-independent  part  and  a  protocol- 
dependent  part.  The  protocol-dependent  part  is  expressed  by  the  occultness  property  de- 
fi  ned  below.  It  says  that  if  the  prior  state  is  secret-secure,  the  next  message  event  generated 
by  the  protocol  does  not  compromise  a  secret.  This  has  to  be  proved  individually  for  each 
protocol.  This  protocol  property  was  called  “discreet”  in  [3]. 


occult  (P:  protocol)  :  boolean  = 

FORALL  (I:  set [field],  H:  global,  C:  (Cast?),  rp:  (protrule) ) : 
reachable  (P,  I)  (H) 

&  secret_secure ( I ) (H) 

&  compatible ( I )  (C) 

&  H(C) 

&  subset? (Pre  (rp) ,  H) 

&  P(rp) 

=>  subset? (sees (Post (rp) ) , Coideal (basic_secrets (C) ) ) 


The  protocol-independent  part  of  a  secrecy  proof  is  the  Secrecy  theorem.  It  only  has  to 
be  proved  once. 


secrecy:  THEOREM 

occult (P)  =>  subset ?( reachable (P ,  I),  secret_secure ( I ) ) 


The  proof  of  this  theorem  is  along  the  lines  of  the  proof  in  [3]  for  proving  a  secrecy 
theorem  for  trace  models,  but  now  the  induction  is  on  the  length  of  protocol  extensions  (see 
Deti  nition  of  reachability). 

Notice  that  these  are  strictly  secrecy  results,  and  show  only  that  the  secrets  generated  in 
a  particular  run  of  the  protocol  are  not  compromised.  Most  authors  of  protocol  proofs  have 
noted  that  the  security  objectives  of  a  protocol  may  be  undermined  in  other  ways  than  by 
compromising  secrets,  usually  due  to  some  failure  of  authentication.  Possible  combinations 
of  secrecy  and  authentication  are  discussed  in  [3]. 


75 


5  Example:  The  Otway-Rees  Protocol 


The  goal  of  the  Otway-Rees  protoeol  is  to  mutually  authentieate  an  initiator  and  responder 
and  to  distribute  a  session  key  generated  by  the  server.  One  session  eonsists  of  the  four 
messages  in  Figure  1.  We  prove  that  none  of  the  seerets  N^,  Ni^,  or  K  are  diselosed. 


on  =  ^  ^  S  :  JV,  A-B}shr(y4) 

or2  =  B  ^  Srv  : 

on  =  Sry^B: 

ovi  =  B  ^  A:  N,{Na,K}^^^^^^ 


Figure  1 :  The  Otway-Rees  Protoeol 

The  informal  rules  in  Figure  1  are  easily,  albeit  somewhat  tediously,  eneoded  in  the  traee 
model.  Here  we  only  state  a  seleetion  of  the  formalization  of  the  Otway-Rees  protoeol  rules. 

The  spell  rule  spll  generates  the  nonee  Na  as  needed  for  the  first  protoeol  step.  Note 
that  the  server  need  not  be  mentioned  in  the  eabal. 


spll (A,  B:  agent,  Na :  nonce):  (protrule)  = 

(#  Pre  :=  emptyset, 

Nonces  :=  singleton (Na) , 

Post  :=  singleton  (Cast (add (Na, emptyset) , 

add(A,  add(B,  emptyset)))) 


#) 


The  type  eonstraint  (protrule)  eauses  the  PVS  type  eheeker  to  generate  verifiea- 
tion  eonditions  eorresponding  to  the  eonditions  on  protoeol  rules.  These  and  all  the  other 
verifi  eation  eonditions  are  easily  diseharged  using  the  PVS  proven 

Sending  and  reeeiving  is  split  into  two  parts.  The  fi  rst  step  in  the  Otway-Rees  protoeol, 
for  example,  is  transeribed  as  follows. 


76 


sndl (A,  B:  agent,  N,  Na :  nonce) :  (protrule)  = 

(#  Pre  :=  add (State (roleA,  0,  A  ++  B  ++  Srv) , 
add (Cast (add (Na,  emptyset) , 

add (A,  add(B,  emptyset))),  emptyset)). 

Nonces  :=  add(N,  emptyset). 

Post  :=  add (State (roleA,  1,  A  ++  B  ++  Srv  ++  Na)  , 
add (Msg (N  ++  A  ++  B  ++  Encr(Shr(A), 

Na  ++  N  ++  A  ++  B) ) ,  emptyset) ) 

#) 

rcvl (A,  B:  agent,  N,  Na :  nonce) :  (protrule)  = 

(#  Pre  :=  add (State (roleB,  0,  B  ++  Srv), 
singleton (Msg (N  ++  A  ++  B 

++  Encr(Shr(A),  Na  ++  N  ++  A  ++  B) ) )  , 

Nonces  :=  emptyset. 

Post  :=  singleton (State (roleB,  1,  B  ++  Srv  ++  N  ++  A) ) 

#) 


Rules  that  introduce  nonces  (to  be  kept  secret)  take  them  from  a  prior  spell  with  the 
expected  cabal.  When  an  agent  uses  a  secret  from  a  spell  book,  the  agent  does  not  see  any 
of  the  other  secrets  in  the  same  spellbook,  though  it  might  know  about  them  from  prior 
messages. 

In  general,  a  sequence  of  states  generated  by  these  rules  interleaves  the  behavior  of  as 
many  agents  as  we  wish,  and  any  number  of  concurrent  or  sequential  sessions  of  the  same 
agents.  Altogether,  the  Otway-Rees  protocol  is  formalized  as  follows. 


otway_rees:  protocol 

= 

{  r:  (protrule)  | 

EXISTS  A, 

B,  N,  Na, 

Nb,  K: 

r 

=  init (A, 

B) 

OR  r 

=  spll (A, 

B,  Na) 

OR  r 

=  sndl (A, 

B,  N,  Na) 

OR  r 

=  rcvl (A, 

B,  N,  Na) 

OR  .  . 

•  } 

The  secrecy  theorem  states  that  it  suffices  to  show  occult  {otway_rees)  .  In  a 
fi  rst  step,  using  skolemization  and  split  rules  in  order  to  show  occultness  for  reach  rule 
separately.  For  the  lemma  below  occultness  follows  trivially  for  most  protocol  rules. 


suf f icient_for_occultness :  LEMMA 

disjoint? (Msg?,  Post (rp) )  =>  occult (singleton (rp) ) 


It  remains  to  prove  occultness  for  four  rules  in  the  Otway-Rees  protocol.  In  the  case  of 
the  sndl  rule,  for  example  one  has  to  prove. 


77 


{-1}  subset ?( sees (H) ,  Coideal (basic_secrets (C) ) ) 

{-2}  reachable (OR,  I) (H) 

{-3}  H(C) 

{-4}  H (State (roleA,  0,  A  ++  B  ++  Srv) ) 

{-5}  H (Cast (add (Nonce (Na) ,  emptyset) ,  add (A,  add(B,  emptyset ) ) ) ) 


{1}  Coideal (basic_secrets (C) ) 

(N  ++  A  ++  B  ++  Encr(Shr(A),  Na  ++  N  ++  A  ++  B) ) 


Currently,  we  still  prove  these  kinds  of  verifi  eation  eonditions  in  an  interaetive  way 
(typieally  around  20-40  interaetions  per  rule),  but  the  repetitive  patterns  in  these  proofs 
suggest  higher-level  proof  strategies. 


6  Conclusions 

Our  seereey  theorem  separates  protoeol-dependent  and  protoeol-independent  aspeets  of  se- 
ereey  proofs.  The  protoeol-dependent  part  is  to  show  the  oeeultness  property,  whieh  only 
asks  whether  honest  messages  eompromise  seerets,  given  strong  assumptions  about  the 
preservation  of  seereey  in  the  prior  message  history. 

The  seerets  to  be  proteeted  are  defi  ned  in  an  explieit,  uniform  way  by  introdueing 
“spell”  events  into  the  protoeol.  Spell  events  generate  the  short-term  seerets  for  a  partieular 
“eabal”,  the  set  of  agents  sharing  the  new  seerets.  Seerets  are  shown  to  be  proteeted  even 
when  the  long-term  seerets  of  other  agents,  or  the  short-term  seerets  in  other  protoeol  runs 
(with  other  spells)  are  eompromised. 

The  elosure  results  on  the  eoideal  have  turned  out  to  be  a  useful  addition  to  the  arsenal 
of  proof  teehniques,  enabling  interesting  examples  to  be  shown  seeure.  Protoeol  proofs  are 
still  eomplex  enough  so  that  we  feel  proof-eheeking  and  automation  to  be  valuable  for  the 
sake  of  assuranee,  and  we  believe  that  the  same  teehniques  that  simplify  manual  proofs  will 
also  be  helpful  in  organizing  maehine-assisted  proofs. 

Currently,  we  are  developing  high-level  PVS  strategies  for  automatieally  diseharging 
most  verifi  eation  eonditions  for  typieal  protoeol  rules.  In  these  strategies  we  try  to  eapture 
the  repetitive  patterns  that  have  been  showing  up  in  hand  and  meehanized  interaetive  proofs. 
It  is  our  hope  that,  using  these  strategies,  we  ean  prove  seereey  results  about  realistie  pro- 
toeols  in  a  ’’fairly”  automatie  way.  Also,  we  have  developed  a  translator  from  the  CAPSL 
protoeol  speeifi  eation  language  to  a  eorresponding  PVS  protoeol  model.  In  this  way,  PVS 
is  used  as  a  baekend  for  eryptographie  protoeol  analysis. 


78 


References 


[1]  I.  Cervesato,  N.  Durgin,  P.  Lincoln,  J.  Mitchell,  and  A.  Scedrov.  A  meta-notation  for 
protocol  analysis.  In  12th  IEEE  Computer  Security  Eoundations  Workshop,  pages  55- 
69.  IEEE  Computer  Society,  1999. 

[2]  E.  Gong.  Enclaves:  Enabling  Secure  Collaboration  over  the  Internet.  IEEE  Journal  of 
Selected  Areas  in  Communications,  15(3):567-575,  April  1997. 

[3]  J.  Millen  and  H.  RueB.  Protocol-independent  secrecy.  In  2000  IEEE  Symposium  on 
Security  and  Privacy.  IEEE  Computer  Society,  2000. 

[4]  D.  Otway  and  O.  Rees.  Effi  cient  and  timely  mutual  authentication.  ACM  Operating 

System  Review,  1987. 

[5]  S.  Owre,  J.  Rushby,  N.  Shankar,  and  E.  von  Henke.  Eormal  Verifi  cation  for  Eault- 
Tolerant  Architectures:  Prolegomena  to  the  Design  of  PVS.  IEEE  Transactions  on 
Software  Engineering,  21(2):  107-125,  Eebruary  1995. 

[6]  J.  Thayer,  J.  Herzog,  and  J.  Guttman.  Honest  ideals  on  strand  spaces.  In  11th 
IEEE  Computer  Security  Eoundations  Workshop,  pages  66-78.  IEEE  Computer  So¬ 
ciety,  1998. 


79 


Proving  Secrecy  Is  Easy  Enough* 

Presented  at  CSFW  2001 

Veronique  Cortier 

Laboratoire  Specification  et  Verification 
Ecole  Normale  Superieure  de  Cachan 
61,  Avenue  du  President  Wilson,  94230  Cachan,  France 
cortier@lsv.ens-cachan.fr 

Jon  Millen  and  Harald  RueB 
SRI  International,  Computer  Science  Laboratory 
333  Ravenswood  Ave,  Menlo  Park,  CA  94035,  USA 
{millen,ruess}  @csl.sri.com 

September  25,  2002 


Abstract 

We  develop  a  systematic  proof  procedure  for  establishing  secrecy  results 
for  cryptographic  protocols.  Part  of  the  procedure  is  to  reduce  messages  to 
simplifi  ed  constituents,  and  its  core  is  a  search  procedure  for  establishing  se¬ 
crecy  results.  This  procedure  is  sound  but  incomplete  in  that  it  may  fail  to  es¬ 
tablish  secrecy  for  some  secure  protocols.  However,  it  is  amenable  to  mech¬ 
anization,  and  it  also  has  a  convenient  visual  representation.  We  demonstrate 
the  utility  of  our  procedure  with  secrecy  proofs  for  standard  benchmarks  such 
as  the  Yahalom  protocol. 


1  Introduction 

Cryptographic  protocols  are  used  to  achieve  goals  like  authentication  and  key  dis¬ 
tribution  in  a  possibly  hostile  environment.  These  protocols  are  notoriously  dif- 
fi  cult  to  design  and  test,  and  serious  flaws  have  been  found  in  many  protocols. 
Consequently  there  has  been  a  growing  interest  in  applying  formal  methods  for 
validating  cryptographic  protocols.  In  particular,  standard  program  verifi  cation 

*  This  work  was  funded  by  DARPA  through  the  Air  Force  Research  Laboratory  Contract  F30602- 
98-C-0258  and  by  DARPA  through  Rome  Lab  contract  F30602-96-C-029L 


80 


techniques  such  as  model  checking,  theorem  proving,  or  invariant  generation  have 
been  found  to  be  essential  tools;  a  recent  overview  has  been  given  by  Meadows  [9]. 

A  popular  choice  is  to  use  model  checking  procedures  for  debugging  purposes 
by  searching  for  attacks.  These  techniques,  however,  are  not  directly  applicable 
for  verifi  cation,  since  search  spaces  usually  can  not  be  explored  exhaustively.  In 
contrast,  approaches  based  on  theorem  proving  techniques  aim  at  mathematical 
proofs  of  the  desired  protocol  properties  [3,  6, 15, 17].  We  review  the  techniques 
that  are  most  closely  related  to  our  work.  Paulson  [15]  uses  an  interactive  theorem 
prover  to  prove  invariance  properties  by  proving  that  they  are  inductive,  i.e.  they 
are  preserved  by  the  execution  of  each  and  every  protocol  rule.  Domain-specifi  c 
tactics  are  crucial  for  mechanizing  the  process  of  proof  construction,  but  verifi  ca¬ 
tions  still  require  considerable  effort  and  insight  into  the  workings  of  the  protocol 
under  consideration.  Cohen’s  [3]  approach  is  much  more  automatic.  He  constructs 
a  fi  rst-order  invariant  from  a  protocol  description,  and  uses  fi  rst-order  reasoning  for 
establishing  safety  properties.  Cohen’s  approach  is  amenable  to  both  hand  proofs 
and  automation.  Indeed,  he  applies  his  method  to  verify  the  large  majority  of  the 
benchmark  protocols  in  the  Clark  and  Jacob  survey  [2]  with  only  a  small  amount 
of  user  intervention. 

In  contrast  to  the  work  by  Paulson  and  Cohen  we  do  not  consider  safety  prop¬ 
erties  in  general,  but  we  restrict  ourselves  to  the  specifi  c  case  of  proving  secrecy 
invariants  of  cryptographic  protocols;  that  is,  our  main  interest  is  in  proving  that 
secrets  are  not  accidentally  revealed  to  unauthorized  agents.  Proving  secrecy  in¬ 
variants  for  cryptographic  protocols  has  often  been  found  to  be  the  hardest  task 
in  analyzing  a  protocol  [15].  Indeed,  secrecy  has  been  shown  to  be  undecidable 
even  under  very  weak  assumptions  on  the  protocol  [4],  while  specialized  logics  for 
establishing  authentication  are  usually  decidable  [11]. 

Our  proof  technique  is  to  perform  inductive  proofs,  as  advocated  by  Paul¬ 
son  [15].  To  help  express  secrecy  goals,  we  make  use  of  the  “spell”  events  intro¬ 
duced  in  [10].  However,  this  paper  does  not  use  the  trace  model  as  in  [10]  or  [15], 
but  a  new  state-transition  model  similar  to  the  MSR  model  proposed  by  Mitchell 
el  al  [1].  We  have  found  that  the  Secrecy  Theorem  in  [10]  could  be  adapted  to 
work  just  as  well  in  this  context.  The  current  model  and  our  use  of  PVS  to  perform 
inductive  proofs  with  this  model  were  presented  at  a  workshop  that  did  not  have 
a  published  proceedings  [16].  We  have  used  this  approach  mainly  for  proving  se¬ 
crecy  of  standard  benchmark  protocols  such  as  the  Otway-Rees  and  the  Needham- 
Schroeder  protocol.  Dutertre  et  al  [5]  used  our  techniques  for  verifying  the  group 
management  services  of  Enclaves  [7]. 

The  starting  point  for  this  paper  is  the  observation  that  secrecy  proofs  based 
on  the  decomposition  of  the  Secrecy  Theorem  follow  a  standard  pattern  that  is 
amenable  to  mechanization,  and  which  also  has  a  convenient  visual  representa- 


81 


tion.  Part  of  the  procedure  is  to  reduce  messages  to  simpliti  ed  constituents  called 
branches.  The  core  is  a  search  procedure  for  establishing  secrecy  results.  This 
procedure  is  sound  but  incomplete  in  that  it  may  fail  to  establish  secrecy  for  some 
secure  protocols. 

The  paper  is  structured  as  follows.  In  Section  2  we  review  a  state-based  model 
for  modeling  cryptographic  protocols,  and  we  state  a  suitable  security  policy  to¬ 
gether  with  a  corresponding  secrecy  theorem  as  introduced  in  [16].  This  theorem 
reduces  secrecy  proofs  to  local  proof  obligations  on  protocol  transitions;  these  obli¬ 
gations  are  called  occultness  conditions.  In  Section  3  we  develop  a  characterization 
of  the  occultness  notion,  which  is  used  to  initialize  our  proof  procedure.  Then,  in 
Section  4  we  describe  a  search  procedure  for  establishing  secrecy  results.  More¬ 
over,  Section  4  contains  a  soundness  result  for  this  search  procedure,  and  we  sketch 
a  convenient  graphical  representation  for  occultness  proofs.  Section  5  includes 
some  case  studies  drawn  from  the  Clark-Jacob  survey  [2]  such  as  the  Yahalom  and 
the  Kao  Chow  repeated  authentifi  cation  protocol.  We  also  demonstrate  a  proof  of 
non-occultness  from  a  failed  proof  attempt.  Section  6  contains  some  concluding 
remarks. 

2  Background 

We  give  an  overview  of  state-based  encodings  of  protocols,  a  security  policy  based 
on  the  notion  of  coideals,  and  a  secrecy  theorem  for  generating  local  verifi  cation 
conditions.  More  detailed  descriptions  can  be  found  in  [10, 16]. 

Message  Fields.  The  set  Fields  of  message  fi  elds  is  made  up  of  primitive  and 
compound  fi  elds.  The  primitive  fi  elds  are  fhose  of  types  Agent,  Key,  and  Nonce. 
Keys  and  nonces  form  fhe  sef  Basic;  fhese  basic  fi  elds  are  fhe  only  fypes  of  fi  elds 
fhaf  may  be  designafed  as  secref,  as  a  protocol  policy  goal.  Compound  fi  elds  are 
consfrucfed  by  concafenafion  [X,  Y]  (often  wriffen  wifhouf  brackefs)  or  encrypfion 

As  a  nofafional  convenfion,  variables  A,  B  and  varianfs  always  sfand  for  agenfs; 
K  and  varianfs  always  sfand  for  keys;  and  N  and  varianfs  are  always  nonces.  The 
reserved  subscripf  “s”  idenfifi  es  a  sef,  so  is  a  sef  of  nonces. 

Each  agenf  A  has  some  long-term  keys:  a  public  key  pub(A),  a  corresponding 
private  key  prv(A),  and  a  symmefric  key  shr(A),  which  is  shared  befween  A  and 
a  designafed  server  agenf  Srv.  Each  key  K  has  an  inverse  key  K~^;m  particular, 
pub(A)“^  =  prv(A),  prv(A)“^  =  pub(A),  while  shr(A)“^  =  shr(A),  as  is  fhe 
case  wifh  any  symmefric  keys.  Keys  generafed  during  a  protocol  session  are  always 
symmefric  keys. 


82 


Events  and  Global  States.  There  are  three  kinds  of  events:  message,  spell,  and 
state  events.  A  message  event  is  simply  a  fi  eld  representing  the  eontent  of  the  mes¬ 
sage.  A  spell  event  C  =  S'  |  L  €  Spells,  generates  the  book,  or  session-speeifi  e 
set  of  basie  seerets  Book{C)  =  S,  whieh  are  shared  among  the  set  Cabal (C)  =  L 
of  agents,  the  cabal. 

A  state  event  is  of  the  form  Q  =  An{X)  E  States  where  A  is  a  role  name,  n 
is  a  natural  number  that  represents  the  step  of  the  protoeol,  and  X  =  Mem{Q)  is 
a  eoneatenated  fi  eld  that  represents  the  memory  held  by  the  state.  We  also  write 
Mem{H)  =  {Mem{Q)\Q  E  H  Cl  States}  for  any  event  set  H.  As  a  notational 
eonvention,  we  use  Q  (and  variants)  to  denote  state  events,  while  M  is  a  message 
event,  and  C  is  a  spell  event.  The  set  of  basic  secrets  of  a  spell  eonsists  of  its  book 
plus  the  long-term  keys  of  its  eabal: 

Sec{C)  =  Book{C)  U  ltk{Cabal{C)) 

The  long-term  keys  are  those  generated  by  pub(.),  prv(.),  and  shr(.). 

A  global  state  is  a  set  (not  a  multiset)  of  events.  Notationally,  variants  of  H 
are  global  states  or  event  sets.  The  content  of  a  global  state  is  its  set  of  messages, 
written: 

Cont{H)  =  Hn  Fields 

Similarly,  the  seerets  of  a  global  state  are  obtained  from  its  spell  events. 

Sec{H)  =  |J{5ec(C')|C'  €  H} 

A  basie  fi  eld  X  is  unused  in  H  if  if  is  neifher  a  parf  of  a  fi  eld  in  fhe  eonfenf  nor  a 
seeref  of  H. 

unused (H)  =  {X  E  Basic  \ 

X  0  parts{Cont{H)),  X  0  Sec{H)} 

Inductive  Relations.  parts(S')  is  the  set  of  all  subfi  elds  of  fi  elds  in  the  set  of 
fi  elds  S,  ineluding  eomponents  of  eoneatenations  and  the  plaintext  of  eneryptions 
(but  not  the  keys).  analz(S')  is  the  subset  of  parts(S')  eonsisting  of  only  those 
subfi  elds  that  are  aeeessible  to  an  attaeker.  These  inelude  eomponents  of  eoneate¬ 
nations,  and  the  plaintext  of  those  eneryptions  where  the  inverse  key  is  in  analz(5). 
More  preeisely,  analz(S')  is  the  smallest  superset  of  S  sueh  that  X  E  analz(S')  and 
Y  E  analz(S')  if  [X,  E]  E  analz(S'),  and  X  E  analz(S')  if  {X}k  E  analz(S')  and 
K~^  E  analz(S').  Finally,  synth(S')  is  the  set  of  fi  elds  eonstruetible  from  5  by  eon- 
eatenation  and  eneryption  using  fi  elds  and  keys  in  S.  It  is  defi  ned  to  be  the  smallest 
superset  of  S  sueh  that  [AT,  E]  E  synth(S')  if  X  €  synth(S')  and  Y  E  synth(S'), 


83 


(0) 


0 

r  {Na,N,,K}t{A,B},  ] 

1  Ai(A,B,Srv), 

Bi  (B,  Srv), 

Srvi(Srv)  J 

{Na,.}t{A,B}  ■ 
Ai{A,B,  Srv) 

A2{A,B,Srv,Na),  \ 

[A,A{iVa,A,P}shr(A)]  J 

[N,A,X], 

Bi(P,  Srv), 
{At,.}!  {AS}  , 

1 

■  B2{B,Srv,A,N),  1 

.  [N,B,A,X,{N,N,AU,^b)]  J 

M,  " 

Srvi  (5rv), 
{K,.}t{A,B}  ^ 

1^ 

{ 

Srv2(Srv),  1 

.  [A,{Aa,A}3hr(A),{A6,A}3hr(B)]  / 

where  M  =  [N,  B,  A,  {Na,N,  B}shr(A),  {iVt,  JV,  ^}shr(B)] 

Figure  1 :  Encoding  of  part  of  Otway-Rees  protocol. 


(1) 

(2) 


(3) 


and  {X}k  G  synth(S')  if  €  synth(S')  and  K  E  synth(S').  The  intruder  in  our 
model  synthesizes  faked  messages  from  analyzable  parts  of  a  set  of  available  fi  elds. 
This  motivates  the  defi  nition  fake(S')  =  synth(analz(S')). 

Ideals  and  Coideals.  An  ideal  I{S)  denotes  the  set  of  fields  that  have  to  be 
protected  in  order  not  to  reveal  any  secrets  in  S'  [18].  It  is  defi  ned  as  fhe  smallesf 
supersef  of  S  such  fhaf  [X,  Y]  E  I{S)  if  E  I{S)  or  y  E  I{S),  and  {X}k  G 
I{S)  if  X  E  T{S)  and  K~^  0  The  complemenf  of  an  ideal,  fhe  coideal, 

is  denofed  by  C(S).  This  defi  nes  fhe  sef  of  fi  elds  fhaf  are  public  wifh  respecf  fo 
fhe  basic  secrefs  S,  i.e.,  fields  whose  release  would  nol  compromise  any  secrefs 
in  S.  Coideals  are  inferesfing  because  fhey  are  closed  under  allacker  analysis;  i.e. 
fake(C(S))  =  C{S)  for  all  primitive  fi  elds  S. 


New  it) 

Protocols.  A  protocol  Iransilion  f  is  of  fhe  form  Pre(f)  — >  Posf(f),  where 
Pre{t)  and  Post{t)  are  sef  of  evenls  and  New{t)  is  a  sef  of  nonces.  Such  Iransifions 
specify  a  possible  global  slate  change  in  a  way  lo  be  explained  below. 

Excepl  for  an  initialization  fransilion,  a  Iransilion  t  shows  a  slale  change  for 
one  role.  If  may  also  produce,  in  fhe  posl,  a  message  or  a  spell  bul  nol  bolh. 


84 


A  primitive  fi  eld  oeeurring  in  post  messages  or  state  memory  must  oeeur  in  the 
messages  or  state  memory  of  the  pre  or  among  the  nonees.  This  eondition  is  ealled 
regularity,  and  it  implies  that  no  long-term  keys  are  deliberately  introdueed  into 
a  post  message.  There  is  also  a  restrietion  that  seerets  in  a  post  spell  are  all  in 
New{t).  (The  freshness  of  nonees  in  New{t)  resides  in  reaehability.) 

A  protocol  is  simply  a  set  of  protoeol  transitions.  A  protoeol  speeifi  eation  is  a 
set  of  rules,  where  eaeh  rule  is  a  sehema  defi  ning  a  set  of  transitions  using  terms 
with  free  variables.  More  formally,  a  transition  t  is  an  instance  of  a  mle  rl  iff  there 
exists  a  ground  substitution  cr,  deli  ned  on  the  variables  of  rl,  sueh  that  t  =  a{rl). 

Protoeol  rules  for  the  fi  rst  three  messages  of  the  familiar  Otway-Rees  [13]  (OR) 
and  Needham-Sehroeder-Lowe  [8, 12]  (NSL)  publie  key  protoeols  ean  be  found  in 
Figures  1  and  2,  respeetively.  Often,  as  in  the  Needham-Sehroeder  speeifi  eafion, 
we  omif  fhe  sfafe  evenfs  for  brevify  when  fhey  are  nof  needed  for  our  purposes. 

In  bofh  profoeols,  eaeh  session  is  initialed  wilh  a  spell  lo  inlroduee  fhe  session- 
speeifi  c  seerels  and  a  eorresponding  eabal.  In  addilion,  fhe  Olway-Rees  protoeol 
inlroduees  a  non-seeref  nonee  N  in  rule  1. 

Global  State  Transitions.  Given  a  protoeol  P  and  a  set  of  initial  knowledge  I 
(of  the  spy),  the  global  succession  relation  transforms  a  state  H  to  a  new  state  H' . 
A  sueeession  is  either  honest,  i.e.  it  eorresponds  to  an  aetion  by  an  agent  following 
the  protoeol,  or  it  is  faked  by  the  spy. 

•  H'  is  an  honest  sueeessor  of  H,  denoted  by  honest {P){H,  H'),ii  there  ex¬ 
ists  an  applieable  transition  f  in  P  sueh  that  H'  =  {H\{Pre{t)  fl  States))  U 
Post{t). 

•  H'  is  a  fake  sueeessor  of  H,  denoted  by  fake{I){H,  H'),  if  there  exists  a 
fi  eld  X  e  iake{Cont{H)  U  I)  sueh  that  H  =  H  U  {X}. 

In  the  honest  ease,  a  transition  t  is  applicable  in  H  if  Pre{t)  C  H  and  New{t)  C 
unused (H).  In  the  fake  ease,  the  spy  is  restrieted  to  adding  only  messages  that  ean 
be  inferred  from  the  eontent  of  the  eurrent  state  and  the  initial  knowledge.  In  either 
ease,  we  write  global {P)  (I)  {H,  H').  This  relation  determines  a  logieal  transition 
system  with  the  empty  set  of  events  as  its  initial  state.  The  set  of  reaehable  states 
of  this  transition  system  is  denoted  by  reachable{P,  I). 

Beeause  protoeol  spell  books  introduee  only  unused  seerets,  it  is  easy  to  show 
that  the  spell  books  of  different  spells  are  disjoint. 

Lemma  1  (Disjoint  Book)  If  C,C'  E  H  E  reachable  {P,  I)  then  either  C  =  C 
or  Book{C)  and  Book{C')  are  disjoint. 


85 


Secrecy  Policy.  A  spell  is  compatible  with  an  initial  knowledge  set  I  that  does 
not  mention  its  assoeiated  basie  seerets. 

compatible  {!)  =  {C  \  Sec{C)  fl  parts(/)  =  0} 

Given  the  spy’s  initial  knowledge  I,  a  global  state  H  is  ealled  I -discreet  if 
Cont{H)  C  C(Sec(C))  for  all  7-eompatible  spells  C  E  H',  these  states  are  eol- 
leeted  in  the  set  discreet  {!).  Now,  a  protoeol  P  is  ealled  discreet  if  discreet  (!)  is 
an  invariant  of  the  transition  relation  assoeiated  with  P;  i.e.  for  all  I,  reachable  (P,  I) 
is  a  subset  of  discreet  {!). 

Secrecy  Theorem.  As  in  [10],  the  Seereey  Theorem  serves  to  split  the  seereey 
proof  for  a  protoeol  into  a  protoeol-independent  part  and  a  protoeol-dependent  part. 
The  protoeol-dependent  part  is  expressed  by  the  oeeultness  property.  It  says  that 
if  the  prior  state  is  disereet,  the  next  message  event  generated  by  the  protoeol  does 
not  eompromise  a  seeret. 

Some  more  notation  needs  to  be  introdueed  before  defi  ning  oeeultness.  A  P- 
configuration  is  a  tuple  (I,  77,  C)  suehthat  77  €  reachable{P,  I),  77  E  discreet(I), 
C  E  compatible  {!),  and  C  E  H.  Now,  a  protoeol  P  is  said  to  be  occult  if  for  all 
P -configurations  (7,  77,  C)  and  for  eaeh  applieable  transition  t  in  P, 

Cont{Post{t))  C  C(Sec(C)). 

The  protoeol-independent  part  of  a  seereey  proof  is  the  Seereey  Theorem. 

Theorem  1  (Secrecy  Theorem)  A  protocol  P  is  discreet  ijf  it  is  occult. 

This  theorem  reduees  seereey  proofs  to  proving  oeeultness  of  individual  rules  of 
the  protoeol.  In  the  ease  of  the  Otway-Rees  protoeol  in  Figure  1,  for  example,  we 
are  redueed  to  showing  oeeultness  of  the  rules  (1),(2),(3),  sinee  oeeultness  holds 
trivially  for  rule  (0).  (The  fourth  rule  is  also  easy  to  handle.)  For  rule  1  of  the 
Otway-Rees  protoeol  we  have  to  prove  that  for  all  reaehable  and  7-disereet  global 
states  77,  and  for  all  7-eompatible  spells  (7  €  77  it  follows  from  the  applieability 
eonditions 


.  e  77, 

•  Ai(A,  P,5ru)  e  77,  and 

•  N  E  unused{H) 


86 


{Na,Nt} 


0 

{N,,.}t{A,B},  1 

[{-^a,  ^}pub(B)]  / 

{[{iV„,iV6,i?}p„b(A)]} 


(0) 

{[{Aa, 

(1) 

{[{Aa,  A6,B}pub(A)]} 

(2) 

{[{AtjpubCB)]} 

(3) 

Figure  2:  Encoding  of  Needham-Schroeder-Lowe  protocol. 


that  [JV,  {iVa,  iV,  i?}shr(yi)]  £  C{Sec{C)).  To  establish  this,  we  have  to  check 
two  cases,  depending  on  whether  C  is  the  spell  in  the  rule  or  not.  If  it  is,  we  note 
that  shr(^)  is  in  the  coideal;  in  the  other  case,  there  is  no  secret  to  protect,  because 
the  Disjoint  Book  Lemma  implies  that  Ng,  is  not  in  Book{C).  This  case  split 
argument  is  one  of  the  tasks  that  are  simplifi  ed  away  using  the  search  procedure 
we  will  present. 

It  is  undecidable  whether  or  not  a  given  protocol  P  is  occult.  Undecidability  of 
protocol  security  is  well  known,  and  has  been  proved  in  several  different  models. 
See,  for  example,  [4]  and  its  references.  A  proof  for  this  particular  model  works 
by  a  simple  encoding  of  the  reachability  problem  of  Turing  machines  such  that  the 
encoded  Turing  machine  reaches  its  fi  nal  state  iff  the  protocol  is  not  occult. 

Let  T  be  a  Turing  Machine,  Q  the  set  of  states,  (qq  is  the  initial  state  and  qf 
is  the  fi  nal  state),  S  the  Tape  Alphabet,  (jj  is  the  blank  symbol),  its  transitions  are 
on  the  form  qi  oi  — >■  q2  02,  N,  where  ^1,^2  £  Q,  0,1,02  €  S  and  N  €  {L,  R,  S}. 
The  interpretation  is  :  if  the  machine  T  is  in  state  qi  and  its  head  points  oi  then  T 
changes  to  state  q2,  replaces  oi  with  02  and  moves  the  head  right  (if  N  =  R),  left 
(if  N  =  L)  or  stays  at  the  current  cell  (if  N  =  5). 

We  do  a  copy  S'  of  the  Tape  Alphabet  :  a  primed  letter  represents  the  letter 
pointed  by  the  head  of  the  Turing  machine.  We  associate  a  number  na  €  N  to  each 
a  €  S,  a'  €  S',  a  number  €  N  to  each  q  E  Q. 

We  encode  the  letters  a  €  S  U  S'  and  the  states  q  E  Q  as  following  : 

a  =  N,---,N,A,  q  =  N,--- ,N,A 
' - - '  ' - ' 

Ua  times  uq  times 

(Actually,  the  letters  and  the  states  are  encoded  by  a  specifi  c  length  of  nonces  and 
are  separated  by  the  name  of  an  agent  A) 


87 


We  encode  the  transitions  qi  ai  q2a2,R  by  the  rules: 

[[{K,  ^  X,  ^  5  nshr(A)]}  ^  {m  ^  V,  nshr(A)]} 

for  all  6  €  S 

{  [{K,  ft,  a'l  }shr(A)]  }  {  [{K,  ft,  ft,  F}shr(A)]  } 

In  addition,  we  have  to  consider  the  same  rules  where  respectively  X,  X  and 
Y,  and  Y  are  omitted. 

shr(^)  is  a  private  key  shared  between  the  server  and  A  but  it  could  be  any 
shared  key  between  2  agents. 

The  initialization  rule  is 

0  {KtA[{K,^JU,(^A)]} 

and  the  “fi  nal”  rule  is 

{[{if,^,XU(A)]}  ^  {[K]} 

The  fi  nal  state  of  the  Turing  machine  is  reachable  iff  this  protocol  is  not  occult. 

Using  theorem  1  it  follows  that  it  is  also  undecidable  whether  or  not  a  given 
protocol  is  discreet. 

3  Branches 

Occultness  proofs  work  by  contradiction.  In  proving  occultness  of  rule  1  of  the 
Otway-Rees  protocol  in  Figure  1,  for  example,  one  tries  to  obtain  a  contradiction 
from  the  assumption  [N,  A,  {Na,  iV,  i^jshrfA)]  £  I{Sec{C))  .  Using  the  defi  nition 
of  ideals  we  are  reduced  to  show  that  each  of  the  cases  N  €  I{Sec{C)),  A  € 
I{Sec{C)),  and  {iVa,  iV,  i?}shr(yi)  £  I{Sec{C))  yields  a  contradiction.  The  sec¬ 
ond  case  yields  an  immediate  contradiction,  since  agents  names  are  not  elements  of 
ideals.  Furthermore,  using  the  defi  nifion  of  ideals,  fhe  fhird  case  can  be  simplifi  ed 
furlher  fo  fhe  disjunction  shr(^)  ^  I{Sec{C))  or  [Na-,N,B]  €  I{Sec{C)).  In 
general,  a  fi  eld  M  is  in  fhe  coideal  generated  by  Sec{C)  iff  for  each  nonce  or  key 
B  in  parts(M),  eifher  B  is  nol  in  Sec{C)  or  B  is  encrypted  wifh  af  teas!  one  key 
in  Sec{C). 

This  observation  suggesfs  fhaf,  insfead  of  examining  M  ilself,  we  examine 
fhe  basic  secrefs  occurring  in  if  and  fhe  keys  profecfing  fhem.  A  branch  is  a  pair 
consisting  of  a  basic  fi  eld  and  a  sef  of  keys.  The  following  recursion  computes  fhe 
branches  occurring  in  a  fi  eld  M. 


88 


Definition  1  bnch(M)  is  defined  as  bnch(M,  0),  where 

bnch(iV,if,)  =  {{N,Ks)} 
bnch{K,Ks)  =  {{K,Ks)} 
bnch(^,iir5)  =  0 

bnch([Mi,  M2],iiCs)  =  bnch(Mi,  U 

bnch(M2,if,) 

bnch({M}x,-^s)  =  bnch(M,  iiLs  U  {if}) 

Thus, 

bnch([iV,A{iV„,iV,i?}3hr(A)])  = 

{(Ar,0),  (iV„,{shr(^)}),  (iV,{shr(^)})}. 

It  turns  out  that  field  M  is  in  C(S)  if  and  only  if  its  branches  satisfy  a  simple 
condition.  The  proof  of  is  by  induction  on  the  operator  depth  of  M. 

Proposition  1  Let  S  be  a  set  of  basic  fields;  then: 

M  e  C(5)  iff  for  all  {Y,Ks)  €  bnch(M).- 

y  e  5  ^  n  5  0. 

Definition  2  For  a  protocol  P,  a  branch  b  =  {Y,Ks),  Eg  a  set  of  events,  and 
Ng  a  set  of  nonces,  the  predicate  occ{P,b){Eg,  Ng)  is  defined  to  hold  iff  for  all 
P -configurations  (7,  i7,  C)  such  that 

1.  Eg  C  H, 

2.  Ng  C  unused{H),  and 
7.  y  e  Sec{C) 

it  is  the  case  that  fl  Sec{C)  0.  For  a  transition  t  we  write  occ{P,  6)(t) 
instead  of  occ{P,  b){Pre{t)^  New{t)). 

The  following  characterization  of  protocol  occultness  is  a  straightforward  conse¬ 
quence  of  Proposition  1 . 

Proposition  2  A  protocol  P  is  occult  iff 

1.  for  all  transitions  t  E  P, 

2.  for  all  message  fields  M  such  that  [M]  €  Post{t),  and 

3.  for  all  branches  b  E  bnch(M) 

the  predicate  occ{P,  b){Pre{t),  New{t))  holds. 


89 


4  A  Search  Procedure  for  Establishing  Occultness 


Now,  we  describe  a  search  procedure  for  establishing  occ{P,b){t)  for  a  given 
branch  b  and  a  transition  t.  This  algorithm  proceeds  by  applying  some  basic 
tests  which  are  suffi  cient  for  establishing  that  the  occultness  predicate  above  holds. 
Whenever  these  tests  fail,  a  back  step  is  performed.  Such  a  step  explores  every  pos¬ 
sibility  of  how  certain  message  fi  elds  could  have  been  published  on  the  network. 

Lemma  2  (Basic  Tests)  Let  b  =  {Z,  Kg)  be  a  branch,  Eg  a  set  of  events,  and  Ng 
a  set  of  nonces;  then:  occ{P^  b){Eg,Ng)  holds  if  one  of  the  following  is  true. 

1.  Z^Ng 

2.  There  exists  a  Kg  such  that  Kg  C  Kg  and  {Z,Kg)  €  hr\ch[Cont{Eg));  in 
this  case  we  write  {Z,Kg)  €  hnQ\\[Cont{Eg)). 

3.  There  exists  a  spell  C  E  Eg  such  that  Z  E  Book{C)  and  Kj^riSec{C)  0; 
in  this  case  we  write  db{Eg,  Z,Kg). 

Note  that  we  employ  the  obvious  extension  of  bnch(.)  to  sets  of  fi  elds.  The  operator 
E  says  that  a  branch  may  have  more  keys  than  necessary,  which  is  not  harmful, 
since  one  good  key  is  enough. 

Given  a  P-conti  guration  (7,  i7,  C)  such  that  the  requirements  listed  in  Deh  ni- 
tion  2  hold.  Lemma  2  is  proved  as  follows.  First,  consider  the  basic  test  Z  E  Ng. 
Since  Ng  C  unused{H),  it  follows  that  Z  ^  Sec{C).  Thus,  occ{P,b){Eg,  Ng) 
holds.  Second,  assume  (Z,  Kg)  E  bndn{Cont{Eg))  and  let  TC'  C  Kg  be  such  that 
{Z,K'^)  E  bnch{Cont{Eg)).  Since  Eg  E  H  and  H  is  I-discreet,  it  follows  that 
Cont{Eg)  C  C(Sec{C)).  Consequently,  using  Lemma  1,  Kg~^  n  Sec(C)  0, 
and  thus  Kg~^  f]  Sec{C)  0.  The  third  part  of  Lemma  2  is  a  consequence  of  the 
disjoint  book  lemma  (Lemma  1). 

Consider,  for  example,  rule  2  of  the  Otway-Rees  protocol  in  Figure  1.  This 
rule,  denoted  by  or2,  contains  a  message  variable  X  in  its  pre.  Thus,  or2  denotes 
an  infi  nite  set  of  transitions,  and  a  uniform  proof  of  the  occultness  of  this  family  of 
transitions  starts  by  introducing  a  symbolic  constant  X' . 

(fV,0),(iV,{shr(P)})  i 

bncb{Cont{{[N,  A,  X'],  _}  j:  {A,  P}}))  , 

itfollows  that  both  occ{OR,  (iV,  0))(or2)  and  occ{OR,  {N,  {shr(P)}))(or2)  hold. 
Furthermore,  since  the  predicate  d6({[JV,  A,  X']^  {iVh,  _}  |  {A,  P}},  N^,  {shr(P)}) 
holds,  it  follows  that  occ{OR,  (iVh,  {shr(P)}))(or2)  holds,  too. 


90 


The  occultness  proof  of  the  Otway-Rees  protocol  uses  only  basic  tests.  In 
general,  however,  other  rules  have  to  be  taken  into  consideration.  Consider,  for 
example,  the  case  (iVa,  {pub(v4)})  €  bnch({iVa,  iV^,  .B}pub(y4))  for  proving  rule  2 
of  the  Needham-Schroeder-Lowe  protocol  in  Figure  2;  this  rule  is  denoted  by  ns/2. 
None  of  the  basic  tests  above  establishes  that  occ{NSL^  {Na^  {pub(^)}))(ns/2) 
holds.  The  purpose  of  a  back  step  is  to  obtain  additional  information  for  applying 
the  basic  tests.  For  each  message  event  M  in  Eg,  two  possibilities  have  to  be  taken 
into  consideration:  either  M  has  been  published  by  an  honest  agent  following  the 
protocol  rules  or  M  was  injected  by  the  intruder. 


Definition  3  (Search)  Let  P  be  a  protocol,  t  be  a  transition  of  P,  and  b  be  a 
branch  of  the  form  {Z,  Kg);  then: 

main{P,b){t)  =  Z  €  New{t)  V 

search {P,  b){Pre{t)) 

search {P,b) (Eg)  =  b  E  bnch{Cont{Eg))  V 

db{Eg,  Z,Kg)  V  back{P,b){Eg) 

back{P,b){Eg)  =  (3M  E  Eg  :  ZE  parts(M)) 

{honest {P,b){M)  A  fake{P,b){M)) 


honest {P,b){M)  =  {yt'EP,  MEparts{Cont{Post{t')))) 

search {P^  b){Pre{t')) 


fake{P,  b){M)  ="  (VMi,. . .,  :  [Mi,. . .,  M„]  =  M) 

^ Mi{Z  E  parts(Mj)  A  search{P,b){{Mi})) 


These  predicates  determine  a  search  procedure  in  the  usual  way.  For  example. 
Pi  V  P2  is  computed  non-deterministically:  if  the  computation  of  Pi  (or  P2)  ter¬ 
minates  with  true,  then  the  computation  of  Pi  V  P2  terminates  with  true.  Using 
these  conventions,  Defi  nition  3  gives  rise  to  a  nondeterministic  proof  procedure  for 
establishing  occultness. 

Now  we  outline  the  proof  of  soundness  for  our  procedure.  The  proof  of  the 
main  lemma  applies  induction  on  the  number  of  back  steps  in  deducing  that  predi¬ 
cate  search {P,  Z,  Kg)  {Eg)  holds.  A  detailed  proof  can  be  found  in  the  appendix. 

Lemma  3  (Main  Lemma)  Let  P  be  a  protocol,  b  be  some  branch,  and  Eg  a  set  of 
of  events;  then: 


91 


If  the  predicate  search {P,b)  {Eg)  holds,  then  occ{P,b){Es,  -)  holds, 
too. 

Altogether,  soundness  of  the  seareh  proeedure  follows  from  the  Lemmas  2  and  3, 
and  the  seereey  theorem  (Theorem  1). 

Theorem  2  (Soundness)  Let  P  be  a  protocol.  If  main {P^b){Pre{t)^  New (t)) 
holds 

•  for  all  transitions  t  ^  P, 

•  for  all  message  events  M  E  Post{t),  and 

•  for  all  branches  b  E  bnch(M), 
then  P  is  discreet. 


Our  method,  however,  is  not  eomplete.  If  one  of  the  proof  obligations  ean  not 
be  shown  to  hold,  then  one  may  not  neeessarily  eonelude  that  the  protoeol  is  not 
disereet.  Moreover,  there  are  oeeult  protoeols  for  whieh  our  seareh  proeedure  does 
not  terminate;  sueh  an  example  ean  be  found  in  Seetion  5. 

Let  us  return  to  proving  oeeultness  of  the  rule  ns/2;  for  the  braneh  b  =  (iVa,  {pub(A)}) 
the  derivation  starts  as  follows. 

main{NSL,  b){nsl2) 

search{N SL,b){{{Ni,\-}  I  {A,  B},) 

[{-^05  ^}pub(iJ)]} 

^  back{NSL,b){{{Nb\-}t{AB},) 

[{^a,^}pub(B)]} 

honest{NSL,b){{Na,A}p^,i,(^s))  A 

Me(iV5L,6)({iVa,A}p,b(B)) 

Sinee  only  the  fi  rst  rule  of  the  Needham-Sehroeder-Lowe  protoeol  eontains  a  mes¬ 
sage  of  the  form  {JVa,  ^}pub(s)  its  post, 

honest{NSL,  b){{Na,  ^}pub(s)) 

search{NSL,b){{{Na\-}t{AB}}) 

true 

This  reduees  to  true  beeause  of  the  disjoint  book  test. 

Me(iV5L,6)({iVa,A}p,b(5)) 

^  search{NSL,b){Na,A) 
true 


92 


since  {Na,  {pub(^)})  €  bnch([iVa,  ^]).  Consequently,  rule  nsl2  is  occult. 

Derivations  based  on  the  predicates  in  Defi  nition  3  can  be  visualized  as  search 
trees.  These  search  trees  have  set  of  events  as  nodes,  the  edges  are  labeled  either 
with  a  basic  test  or  with  the  name  of  one  of  the  search  steps.  A  leaf  is  true  if  one 
of  the  basic  tests  succeeds,  and  false  if  all  the  basic  tests  fail  and  if  there  is  no 
more  message  in  the  set  of  events  of  the  parent  node.  Branching  corresponds  to  a 
conjunction,  and  disjunctions  are  realized  by  copying  derivation  trees.  For  the  mle 
nsl2  and  the  branch  (iVa,  {pub (A)}),  for  example,  the  run  of  search  is  visualized 
as  follows. 

{{Na,Ni,}t{A,B},  [{iVa,A}p„b(B)]} 


{{Na,Nl}t{A,B}} 


disjointbook 


e 


true 


true 


In  general,  the  search  tree  generated  by  the  predicates  in  Defi  nition  3  may 
be  infi  nitely  branching  whenever  there  is  an  infi  nite  set  of  protocol  transitions. 
However,  the  set  of  honest  transitions  is  usually  generated  by  a  fi  nite  set  of  rules 
on  the  form  rl  =  Pre{rl)  — >  Post{rl),  such  that  each  transition  t  of  the  protocol 
is  obtained  by  a  substitution  cr,  i.e.  Pre{t)  =  Pre{rl)a,  New{t)  =  New{rl)a, 
etc  . . .  The  remainder  of  this  section  is  devoted  to  lifting  the  results  above  from 
transitions  to  rules.  In  this  way,  we  obtain  occultness  proof  obligations  for  rules 
which  possibly  contain  variables. 

The  notion  of  branches  has  to  be  extended  to  include  messages  fi  elds  confaining 
variables  X  by  adding  fhe  case  bnch(X,  iF^)  =  {(Jf,  iF^)}  fo  Definilion  1.  Now, 
fhe  search  algorifhm  in  Defi  nifion  3  is  liffed  fo  fhis  new  case  of  fi  eld  variables  in 
branches. 


Definition  4  Let  P  be  a  protocol,  bbe  a  branch,  and  rl  be  a  rule;  then: 


main'{P,  b){rl)  = 


b  E  bnch{Cont{Pre{rl))) 

ifb=  {Z,  _)  and  Z  is  a  variable; 
main{P,  b){rl) 
otherwise. 


The  soundness  of  Ibis  exfension  follows  from  fhe  following  fad. 

Lemma  4  If  main'{P,b){Pre{rl),  New{rl))  holds  for  all  M  E  Post{rl),  for  all 
b  E  bnch(M),  then 


93 


•  for  all  instances  t  of  rule  rl, 

•  for  all  message  events  M'  €  Fost(t), 

•  for  all  branches  b  €  bnch(M') 

the  predicate  main{P,  b){Pre{t),  New{t))  holds. 

Let  b  €  bnch(M')  such  that  M'  €  Post{t).  If  6  €  bnch(M),  then  the  predicate 
main{P,  b){Pre{t),  New{t))  holds  by  thedefi  nition  of  mairi{P^  b){Pre{rl),  New{rl)). 
Otherwise,  if  6  =  {Z,  Kg)  comes  from  an  instantiation  cr  of  a  ti  eld  variable,  there 
exists  X  €  parts(M)  such  that  (X,Ki)  €  bnch(M)  and  {Z,K2)  €  bnch(Xcr) 
withies  =  Ki  U  K2.  Now,  main'{P^{X^Ki)){Pre{rl)^New{rl))  holds,  and 
consequently  (X^Ki)  E  hnch{Cont{Pre{rl))),  b  E  hnch{Cont{Pre{rla))),  and 
fi  nally  main{P^  b){Pre{t),  New{t))  hold.  This  fi  nishes  the  proof  of  Lemma  4. 

Theorem  3  Let  P  be  a  protocol.  If  main'  {P^  b){Pre{rl)^  New{rl))  holds 

•  for  all  rules  rl  E  P, 

•  for  all  message  events  M  E  Post{rl),  and 

•  for  all  branches  b  E  bnch(M), 
then  P  is  discreet. 


0 

'’’\{Nb,K,b}t{A,B}} 

(0) 

0 

Na 
- > 

{{A,N^]} 

(1) 

l[AiV„]  / 

l[B,{A,Na,NbUr(B)}] 

(2) 

lS,B,Kab,Na,Nb  }shr  (A) , 

(3) 

{^5  lf^a6}shr(B)]} 

UB,Kab,Na,Nb}s^r(A),X}] 

{[Y,  {iV4K„J} 

(4) 

Figure  3:  Encoding  of  the  Yahalom  protocol. 

94 


(0) 

(1) 


0 

0  JS{[A,B,Na]} 


{[{4,  B  j  IVa  ,  XabXs'nriA) , 

(2) 

{A,  B,  Na,  Aa6}shr(B)]} 

{[X,{A,B,Na,Ka,}s,r(B)]}^ 

{[Y,  {iV4K„,,iV6]} 

(3) 

{[{^,  ATof)  j-shr(A)5  0 

{[{iV4K„J} 

(4) 

Figure  4:  Encoding  of  the  Kao  Chow  Repeated  Authentifi  cation  protocol. 


0 

{{A4t{4i,42}} 
{IAi,A2,  ■  ■  ■  ,A„, 

{4l,  Aa}shr(A)]} 

Figure  5 :  A  protocol  which  requires 


{Na} 


{{A4t{4i,42}} 

(0) 

{[4i,  42,  ■  •  ■  ,A„, 

{4l ,  Ao}shr(2l)]} 

(1) 

{[{4i,42,  Aa}shr(Ai)]} 

(2) 

at  least  n  back  steps  for  proving  occultness. 


5  Examples 

In  the  previous  sections,  we  have  already  demonstrated  that  the  Otway-Rees  pro¬ 
tocol  can  be  proved  to  be  occult  using  only  basic  tests.  Likewise,  the  occultness 
proof  of  the  Needham-Schroeder-Lowe  protocol  requires  at  most  one  back  step  for 
each  rule  and  each  branch.  Here  we  give  an  overview  of  the  proof  of  Yahalom’s 
protocol,  which  requires  up  to  two  back  steps  for  proving  occultness.  Moreover, 
we  demonstrate  the  incompleteness  of  our  algorithm  with  an  example  of  an  oc¬ 
cult  protocol  for  which  the  search  procedure  is  non- terminating.  Then,  we  give 
an  example  of  a  protocol  that  requires  at  least  n  back  steps  in  proving  occultness. 
Finally,  we  use  a  failed  proof  attempt  of  the  original  Needham-Schroeder  protocol 
to  show  that  it  is  indeed  not  occult. 


Yahalom  Protocol.  This  protocol  has  been  studied  extensively  by  Paulson  [14]. 
An  encoding  of  the  Yahalom  protocol  (without  state  events)  can  be  found  in  Fig¬ 
ure  3.  Occultness  of  the  initial  rule  (1)  is  obvious.  For  verifying  occultness  of 
rule  (2)  we  have  to  consider  the  two  branches  (A^a,  {shr(H)}),  (Alj,,  {shr(H)})  of 
the  single  message  in  the  post. 


95 


{Na,{shr{B)})  :  {N,,,{shr{B)}) 

(Msg(A++Na)  \  (Msg(A++Na) 

\Cast({Nb,K^b},  {A,B})  J  \Cast({Nb,K^b},  i 


db 


true 


true 


In  verifying  occultness  of  rule  (3)  four  branches  have  to  be  considered.  Oc¬ 
cultness  for  the  cases  (iVft,  {shr(^)}),  {shr(^)}),  and  {shr(il)})  is 

established  using  the  disjoint  book  test,  whereas  the  branch  (Na,  {shr(^)})  needs 
two  back  steps. 

r  {Nb,Kab}t{A,B},  I 
\  [B,{A,Na,Nb}sbr(B)]  I 
I  back 

honest^...-----'''^  ^■'--^fake 


f  {Nb,K^b}t{A,B},  \ 
I  [A,Na]  j 


{[{A,  iVa,iVt}shr(B)]} 


Finally,  the  branches  {X,  0)  and  (iVj,,  {Kab})  have  to  be  considered  for  es¬ 
tablishing  occultness  of  the  rule  (4).  The  proof  for  the  (X,  0)  branch  only  needs 
the  basic  test  “€  bnch(. . . )”  and  the  following  proof  for  the  branch  (iVj,,  {Kab}) 
requires  two  back  steps. 

{[{B,K^b,Na,NbUr(A),X]} 

I  back 

fake 


honest 

{Nb,K^b}t{A,B},  \ 

[it,{A,iV„,iV6}3hr(B)]  / 


true 

{Nb,K^b}X{A,B},  \ 

[B,{A,Na,Nb}sbr(B)]  ) 

I  db 

true 


{[{B,  Kab,  Na,  tV6}shr(A)]} 
back 

honest  fake 


{[B,Kab,Na,Nb]} 


e 

true 


Altogether,  the  Yahalom  protocol  is  occult. 


96 


The  Kao  Chow  Repeated  Authentification  Protocols.  An  encoding  of  the  Kao 

Chow  repeated  authentifi  cation  protocol  can  be  found  in  Figure  4.  All  veriti  cation 
conditions  can  be  proved  easily,  except  for  rule  three  and  the  branch  (Ai^,  {Kat})- 
In  this  case,  the  procedure  creates  an  inti  nite  tree  as  visualized  below.  Conse¬ 
quently,  our  procedure  fails  to  detect  occultness  of  this  protocol. 


back 

fake 


^  {[{^^B,Na,Kab]shrB]} 
true 

{[X,  {A,  B,  Na,Kab}shrB} 


Arbitrary  Number  of  Backsteps.  Occultness  of  the  Otway-Rees  protocol  is 
proved  using  only  basic  tests,  the  proof  of  the  Needham-Schroeder-Lowe  proto¬ 
col  needs  at  most  one  back  step  for  verifying  each  occultness  obligation,  and  the 
Yahalom  is  proved  using  at  most  two  back  steps.  In  general,  given  a  natural  num¬ 
ber  n,  there  is  an  occult  protocol  which  requires  at  least  n  back  steps  for  proving 
occultness.  Such  a  family  of  protocols  is  given  in  Figure  4.  The  proof  tree  for 
demonstrating  occultness  of  the  rule  2  of  this  protocol  is  given  as  follows;  obvi¬ 
ously,  there  is  no  deduction  requiring  less  back  steps. 


97 


I  db 

true 


[{Ai,  iVa}shr(A)] 
I  back 


honest 

{iVa}t  {^1,^2} 
db 
true 


fake 

[Al,Na] 

e 

true 


Failed  Proof  Attempts.  Lowe  [8]  showed  that  the  original  deseription  of  the 
Needham-Sehroeder  [12]  protocol  was  flawed.  The  encoding  of  this  protocol  is 
identical  to  the  one  in  Figure  2  except  for  the  post  of  rule  2.  This  post  is  now 
assumed  to  be  given  by  {[{iVa,  Our  search  procedure  terminates  with 

an  incomplete  proof  for  this  modifi  ed  rule. 


{[{Aa,  A;,} pub(yl)]} 


1  ^j  pub(B')]  J 

true 

false 


Using  this  failed  proof  attempt,  we  can  show  that  the  protocol  is  indeed  not  occult. 
The  construction  starts  at  the  leaf  labelled  with  false.  Its  parent  node  contains 
a  cast  and  is  exactly  the  Pre  of  one  of  the  rules,  say  rl,  of  the  protocol.  Now, 
we  consider  a  (partial)  run  of  the  protocol  where  all  the  rules  preceding  rl  in  the 
protocol  description  are  applied  in  the  given  order. 

0  {{N,,N,}t{A,B'}} 

{{ATa,  N,}  t  {A,  B'}}  ^  {[{iVa,  A}pab(B,)]} 


98 


Next,  we  simulate  an  attack  by  following  the  branch  from  the  false  leaf  up  to  its 
root.  The  parent  node  of  the  false  leaf  is  directly  connected  with  the  root  by  an 
honest  edge. 


\  [{-^05  ^}pub(B')] 


{[{-^a,-^6}pub(A)]} 


Having  reached  the  root  of  the  tree,  one  applies  the  rule  for  which  our  algorithm 
fails. 

Thus  ^  C{Sec{{Na,  iV^}  |  {A,  B'})),  and  the  protocol  is  not  occult. 


6  Discussion 

We  have  developed  a  procedure  for  proving  the  occultness  of  protocol  rules  and 
proved  its  correctness.  If  the  procedure  terminates  with  true,  then  the  argument 
rule  is  occult.  Moreover,  occultness  of  all  rules  implies  that  the  protocol  is  indeed 
secure.  Our  procedure  follows  the  informal  reasoning  steps  in  [10],  mechanizations 
do  not  require  any  user  intervention,  and  there  is  a  visually  appealing  graphical 
representation  of  occultness  proofs. 

We  have  tested  our  proof  procedure  on  selected  protocols  from  the  the  Clark 
and  Jacob  survey  [2].  Usually,  we  can  prove  occultness  using  only  a  small  number 
of  search  space  extensions.  The  Otway-Rees  and  the  Carlson  protocol,  for  exam¬ 
ple,  are  proved  to  be  secure  using  only  basic  tests,  the  Needham-Schroeder  protocol 
needs  at  most  one  back  step  for  verifying  occultness  of  each  rule  and  branch,  and 
the  Yahalom  protocol  needs  at  most  two  back  steps  for  verifying  each  occultness 
conditions.  We  have  also  given  examples  of  protocols  whose  occultness  proofs 
need  at  least  n  back  steps  for  an  arbitrary  natural  number. 

Much  work  remains  to  be  done.  In  order  to  deal  with  many  protocols  used  in 
practice,  we  have  to  extend  our  methods  and  support  protocol  features  like  hashing 
and  timestamps.  The  algorithm  described  here  is  not  a  semi-decision  procedure  in 
the  sense  that  occultness  is  eventually  detected.  It  may  be  interesting  to  investigate 
subclasses  of  protocols  which  only  require  abounded  number  of  back  steps,  and  for 
which  our  algorithm  acts  as  a  decision  procedure.  Also,  we  do  not  yet  know  under 
what  circumstances  a  failed  proof  attempt  implies  that  the  protocol  is  insecure. 
An  advantage  of  our  method  seems  to  be  that  it  permits  constructing  attacks  from 
failed  proof  attempts.  For  example  from  the  failed  proof  attempt  for  the  original 
Needham-Schroeder  protocol  in  Section  5  we  can  construct  Lowe’s  man-in-the- 
middle  attack.  We  plan  to  investigate  methods  for  constructing  such  attacks  from 
failed  proof  attempts. 


99 


References 


[1]  I.  Cervesato,  N.  Durgin,  P.  Lincoln,  J.  Mitchell,  and  A.  Scedrov.  A  meta¬ 
notation  for  protocol  analysis.  In  12th  IEEE  Computer  Security  Eoundations 
Workshop,  pages  55-69.  IEEE  Computer  Society,  1999. 

[2]  J.  Clark  and  J.  Jacob.  A  survey  of  authentication  proto¬ 
col  literature.  http://www.cs.york.ac.uk/~jac/  pa- 

pers/drareviewps  .ps,  1997. 

[3]  E.  Cohen.  TAPS:  A  fi  rst-order  verili  er  for  cryptographic  protocols.  In  13th 
IEEE  Computer  Security  Eoundations  Workshop,  pages  144—158.  IEEE  Com¬ 
puter  Society,  2000. 

[4]  N.  Durgin,  P.  Eincoln,  J.  Mitchell,  and  A.  Scedrov.  Undecidability  of  bounded 
security  protocols.  In  Eormal  Methods  and  Security  Protocols,  Eederated 
Eogic  Conference,  1999. 

[5]  B.  Dutertre,  H.  Saidi,  and  V.  Stavridou.  Intrusion-Tolerant  Group  Manage¬ 
ment  in  Enclaves.  Accepted  for  publication  at  the  International  Conference 
on  Dependable  Systems  and  Networks  (DSN’2001),  2001. 

[6]  B.  Dutertre  and  S.  Schneider.  Using  a  PVS  embedding  of  CSP  to  verify  au¬ 
thentication  protocols.  In  Theorem  Proving  in  Higher  Order  Logics,  TPHOL’s 
97,  volume  1275  of  Lecture  Notes  in  Computer  Science,  pages  121-136. 
Springer- Verlag,  August  1997. 

[7]  E.  Gong.  Enclaves:  Enabling  Secure  Collaboration  over  the  Internet.  IEEE 
Journal  of  Selected  Areas  in  Communications,  15(3):567-575,  April  1997. 

[8]  G.  Eowe.  Breaking  and  fi  xing  the  Needham-Schroeder  public-key  protocol 
using  EDR.  In  Proceedings  of  TACAS,  volume  1055  of  Lecture  Notes  in 
Computer  Science,  pages  147-166.  Springer- Verlag,  1996. 

[9]  C.  Meadows.  Invariant  generation  techniques  in  cryptographic  protocol  anal¬ 
ysis.  In  I3th  IEEE  Computer  Security  Eoundations  Workshop,  pages  159- 
167.  IEEE  Computer  Society,  2000. 

[10]  J.  Millen  and  H.  RueB.  Protocol-independent  secrecy.  In  2000  IEEE  Sympo¬ 
sium  on  Security  and  Privacy.  IEEE  Computer  Society,  2000. 

[11]  D.  Monniaux.  Decision  procedures  for  the  analysis  of  cryptographic  proto¬ 
cols  by  logics  of  belief.  In  I2th  Computer  Security  Eoundations  Workshop, 
Mordano,  Italy,  June  1999.  IEEE  Computer  Society. 


100 


[12]  R.  Needham  and  M.  Sehroeder.  Using  eneryption  for  authentieation  in  large 
networks  of  eomputers.  Communications  of  the  ACM,  21(12):993-998,  De- 
eember  1978. 

[13]  D.  Otway  and  O.  Rees.  Effieient  and  timely  mutual  authentieation.  ACM 
Operating  System  Review,  21(1):8-10,  1987. 

[14]  L.  Paulson.  Relations  between  seerets:  Two  formal  analyses  of  the  Yahalom 
protoeol.  Teehnieal  Report  TR432,  University  of  Cambridge,  Computer  Lab¬ 
oratory,  July  1997. 

[15]  L.  Paulson.  The  induetive  approaeh  to  verifying  eryptographie  protoeols. 
Journal  of  Computer  Security,  6(1):85-128,  1998. 

[16]  H.  RueB  and  J.  Millen.  Loeal  seereey  for  stated-based  models.  In  Proc.  of  the 
Workshop  on  Formal  Methods  in  Computer  Security  (FMCS’2000),  Chieago, 
IL,  2000. 

[17]  S.  Sehneider.  Verifying  authentieation  protoeols  in  CSP.  IEEE  Transactions 
on  Software  Engineering,  24(9):741-758,  September  1998. 

[18]  J.  Thayer,  J.  Herzog,  and  J.  Guttman.  Honest  ideals  on  strand  spaees.  In 
11th  IEEE  Computer  Security  Foundations  Workshop,  pages  66-78.  IEEE 
Computer  Soeiety,  1998. 


7  Proof  of  the  Main  Lemma 

Main  Lemma: 

If  the  predieate  search{P){Z,  Ks){Es)  holds,  then  occ{P,  Z,  Ks){Es,  — ) 
holds,  too. 

Proof  :  Instead  of  proving  that  occ  (P,  Z,  Kg  ){Es,Ns)  holds,  we  prove  the  stronger 
property  occstrong  (P,  Z,Ks){Es)  defi  ned  to  hold  iff  for  all  P-eonfi  gurations  (7,  77,  C) 
sueh  that 

1.  Nonstates  (Eg)  C  77  and 

2.  2  e  Sec{C) 

it  is  the  ease  that  5  Cl  Sec{C)  0  ,.  The  set  Nonstates  (Eg)  ineludes  all  non-state 
events  in  Eg.  Obviously,  occstrong {P,  Z,  Kg) (Eg)  implies  occ{P,  Z,  Kg) {Eg,  —). 

The  proof  is  by  induetion  on  the  minimum  number  of  baek  steps  for  deriving  that 
search {P,  Z,  Kg) {Eg)  holds. 


101 


Initialization.  If  the  derivation  of  search{P,  Z,  Ks){Es)  terminates  with  true 
and  if  no  baek  steps  has  been  used,  then  either  {Z,Ks)  €  hnch{Cont{Es))  or 
db{Es^  Z^  Kg)  holds.  Using  basie  tests  one  eoneludes  that  occstrong {P,  Z,  Kg) (Eg) 
holds  in  both  eases. 

Step.  Assume  that  occstrong  (P,  Z,  Kg ){Eg)  holds  for  every  search (P,  Z,  Kg ){Eg) 
with  a  derivation  that  uses  less  or  equal  than  n  of  baek  steps.  Furthermore,  eonsider 
P,  Z,  Kg,  and  Eg  sueh  that  the  derivation  of  search{P,  Z,  Kg) {Eg)  terminates  with 
true  and  uses  n  +  1  baek  steps,  and  assume  a  P-eonfi  guration  (I,  H,  C)  sueh  that 
Nonstates  {Eg)  C  H  and  Z  E  Sec{C). 

Consequently,  the  baek  step  terminates  with  true,  and  there  exists  a  M  E  Eg 
and  Z  E  parts(M),sueh  that  honest{P,  Z,  Kg){M)  Afake{P,  Z,  Kg){M)  =  true 
and  the  derivation  of  honest{P,  Z,  Kg){M)  and  fake{P,  Z,  Kg){M)  uses  at  most 
n  baek  steps.  Now,  M  is  in  Eg,  so  M  is  in  H.  By  induetion  on  H  there  exists  two 
global  states  Hi,  H2  sueh  that 

global{P){I){Hi,H2)kNonstates{Hi)  CHk 

M  E  parts{H2)  kM  ^  parts(P'i). 

Apply  ease  analysis  depending  on  whether  the  global  extension  is  honest  or  faked. 

Case  honest{P){Hi,  H2):  There  exists  an  applieable  transition  t  E  P  sueh  that 
H2  =  P ost{t)U{Hi\{P re {t)r\ States))',  thus.  Nonstates {P re {t))  C  H  and 
M  E  parts{P ost{t)).  Sinee  honest{P,  Z,  Kg){M)  reduees  to  true  and  M  E 
parts{P ost{t)),  we  have  search{P,  Z,  Kg){Pre{t))  holds,  and  its  derivation 
uses  at  most  n  baek  steps.  Thus,  occstrong {P,  Z,  Kg)  {Pre{t))  holds.  Be- 
eause  of  the  faets  Nonstates {P re {t))  E  H  and  Z  E  Sec{C),  it  follows 
that  S  n  Sec{C)  =  0.  Consequently,  the  predieate  occstrong{P,  Z,  Kg){Eg) 
holds. 

Case  fake{I){Hi,  H2):  By  definition  of  fake,  H2  =  Hi  U  {M'}  where  M'  E 
iake{Cont{H)  U  I).  Sinee  M  E  parts(i?2)  and  M  0  parts(iTi),  we  know 
that  M  E  parts(fake(C'oni(iT)  U  /)).  It  is  easy  to  verify  that 

parts(fake( C'oni(P')  U/))  = 

iake{Cont{H)  U  /)  U  parts{Cont{H)  U  I)  . 

In  addition,  M  ^  parts(7)  (unless  Z  E  parts(/),  in  whieh  ease  Z  0 
Book{C)  by  ehoiee  of  C,  whieh  eontradiets  the  hypothesis  Z  E  Book{C)) 
and  M  0  parts{Cont{H)),  thus  M  0  parts{Cont{H)  U  I).  Consequently, 


102 


M  must  have  been  synthesized,  meaning  X  €  fake(Cont(ff)  U  7)  if  M  = 

{X}k  or  there  exist  Mi ,  M2  sueh  that  M  =  Mi ,  M2  and  Mi ,  M2  €  fa ke ( Cont  (77)  U 

I)- 

Now,  let  77'  =  77  U  {Mi,  M2}  (respeetively  H'  =  H  U  {7f}).  It  is  easy  to 
verify  that  (7,  77',  C)  is  still  a  P-eonfi  guration,  and  we  get  {M,  M2}  €  77' 
(respeetively  {X}  €  77')  and  Z  €  Sec{C). 

Assume  (without  loss  of  generality)  that  Z  €  parts(Mi).  By  definition  of 
fake{I){Hi,  H2),  search{P,  Z,  Ks){{Mi})  (respeetively  search{P,  Z,  7l5)({X})) 
holds  and  its  derivation  uses  at  most  n  baek  steps.  Therefore,  the  predieate 
occstrong{P,  Z,  Ks){{Mi})  {resp.  occstrong{P,  Z,  Kg) {{X}))  holds.  Fi¬ 
nally,  one  eoneludes  that  occstrong{P,  Z,Ks){Es)  holds. 


103 


An  Overview  of  Formal  Verification 
For  the  Time-Triggered  Architecture* 


John  Rushby 

Computer  Science  Laboratory 
SRI  International 
333  Ravens  wood  Avenue 
Menlo  Park,  CA  94025,  USA 

rushby@csl . sri . com 


Abstract 

We  describe  formal  verification  of  some  of  the  key  algorithms  in  the  Time- 
Triggered  Architecture  (TTA)  for  real-time  safety-critical  control  applications.  Some 
of  these  algorithms  pose  formidable  challenges  to  current  techniques  and  have  been 
formally  verified  only  in  simplified  form  or  under  restricted  fault  assumptions.  We  de¬ 
scribe  what  has  been  done  and  what  remains  to  be  done  and  indicate  some  directions 
that  seem  promising  for  the  remaining  cases  and  for  increasing  the  automation  that  can 
be  applied.  We  also  describe  the  larger  challenges  posed  by  formal  verification  of  the 
interaction  of  the  constituent  algorithms  and  of  their  emergent  properties. 


1  Introduction 

The  Time-Triggered  Arehiteeture  (TTA)  provides  an  infrastrueture  for  safety-eritieal  real¬ 
time  eontrol  systems  of  the  kind  used  in  modern  ears  and  airplanes.  Coneretely,  it  eomprises 
an  interloeking  suite  of  distributed  algorithms  for  funetions  sueh  as  eloek  synehronization 
and  group  membership,  and  their  implementation  in  the  form  of  TTA  eontrollers,  buses, 
and  hubs.  The  suite  of  algorithms  is  known  as  TTP/C  (an  adjunet  for  non  safety-eritieal 
applieations  is  known  as  TTP/A)  and  was  originally  developed  by  Kopetz  and  eolleagues  at 
the  Teehnieal  University  of  Vienna  [28] ;  its  eurrent  speeifi  eation  and  eommereial  realization 
are  by  TTTeeh  of  Vienna  [75].  More  abstraetly,  TTA  is  part  of  a  eomprehensive  approaeh 
to  safety-eritieal  real-time  system  design  [25]  that  eenters  on  time-triggered  operation  [26] 
and  ineludes  notions  sueh  as  “temporal  firewalls”  [24]  and  “elementary”  interfaees  [27]. 

*This  research  was  supported  by  NASA  Langley  Research  Center  under  Cooperative  Agreement  NCC-1- 
377  with  Honeywell  Incorporated,  by  DARPA  through  the  US  Air  Force  Rome  Laboratory  under  Contract 
F30602-96-C-029L  by  the  National  Science  Foundation  under  Contract  CCR-00-86096,  and  by  the  NextTTA 
project  of  the  European  Union. 


104 


The  algorithms  of  TTA  are  an  exeiting  target  for  formal  verifi  eation  beeause  they  are  in¬ 
dividually  ehallenging  and  they  internet  in  interesting  ways.  To  praetitioners  and  developers 
of  formal  verifi  eation  methods  and  their  tools,  these  algorithms  are  exeellent  test  eases — 
fi  rst,  to  be  able  to  verify  them  at  all,  then  to  be  able  to  verify  them  with  suffi  eient  automa¬ 
tion  that  the  teehniques  used  ean  plausibly  be  transferred  to  nonspeeialists  for  use  in  similar 
applieations.  For  the  developers  and  users  of  TTA,  formal  verifi  eafion  provides  valuable 
assuranee  for  ifs  safely-erilieal  elaims,  and  explieafion  of  fhe  assumpfions  on  whieh  fhese 
resf.  As  new  versions  of  TTA  and  ifs  implemenfafions  are  developed,  fhere  is  fhe  additional 
opporfunify  fo  employ  formal  mefhods  in  fhe  design  loop. 

TTA  provides  fhe  funelionalify  of  a  bus:  hosf  eompufers  affaeh  fo  TTA  and  are  able 
fo  exehange  messages  wifh  ofher  hosfs;  in  addifion,  TTA  provides  eerfain  serviees  fo  fhe 
hosfs  (e.g.,  an  indieafion  whieh  ofher  hosfs  and  fheir  inferfaee  eonfrollers  are  parfieipafing 
reliably  in  nefwork  profoeols).  Beeause  if  is  used  in  safely-erilieal  systems,  TTA  musl 
be  faull  loleranl:  lhal  is,  if  musl  eonlinue  fo  provide  ifs  serviees  fo  nonfaully  hosfs  in  fhe 
presenee  of  faulty  hosfs  and  in  fhe  presenee  of  faulls  in  ifs  own  eomponenls.  In  addition, 
fhe  serviees  lhal  if  provides  fo  hosfs  are  ehosen  fo  ease  fhe  design  and  eonslruelion  of  faull- 
loleranl  appliealions  (e.g.,  in  an  automobile  brake-by-wire  appliealion,  eaeh  wheel  has  a 
brake  lhal  is  eonlrolled  by  ifs  own  hosf  eompuler;  fhe  serviees  provided  by  TTA  make 
if  fairly  simple  fo  arrange  a  safe  dislribuled  algorilhm  in  whieh  eaeh  hosf  ean  adjusl  fhe 
braking  foree  applied  to  ifs  wheel  to  eompensafe  for  fhe  failure  of  one  of  fhe  ofher  brakes 
or  ifs  hosf). 

Serious  eonsideralion  of  faull-loleranl  syslems  requires  eareful  idenlifi  eafion  of  fhe  faull 
eonlainmenl  unils  (eomponenls  lhal  fail  independenlly),  faull  hypolheses  (Ihe  kind,  arrival 
rate,  and  lolal  number  of  faulls  to  be  tolerated),  and  Ihe  type  of  faull  loleranee  to  be  provided 
(e.g.,  whal  eonslilules  aeeeplable  behavior  in  Ihe  presenee  of  faulls:  faull  masking  vs.  fail 
silenee,  self  slabilizalion,  or  never-give-up).  The  basie  goal  in  verifying  a  faull-loleranl 
algorilhm  is  to  prove 

faull  hypolheses  salisfi  ed  implies  aeeeplable  behavior. 

Sloehaslie  or  olher  probabilislie  and  experimenlal  melhods  musl  Ihen  eslablish  lhal  Ihe 
probability  of  Ihe  faull  hypolheses  being  salisfi  ed  is  suffi  eienlly  large  to  satisfy  Ihe  mission 
requiremenls. 

In  Ihis  shorl  paper,  if  is  nol  possible  to  provide  mueh  by  way  of  baekground  to  Ihe  lopies 
adumbrated  above,  nor  to  diseuss  Ihe  design  ehoiees  in  TTA,  bul  a  suilable  inlroduelion  is 
available  in  a  previous  paper  [54]  (and  in  more  delail  in  [55]).  Neilher  is  if  possible,  wilhin 
Ihe  limilalions  of  Ibis  paper,  to  deseribe  in  delail  Ihe  formal  verifi  ealions  lhal  have  already 
been  performed  for  eerfain  TTA  algorilhms.  Instead,  my  goal  here  is  to  provide  an  overview 
of  Ihese  verifi  ealions,  and  some  of  Iheir  hislorieal  anleeedenls,  foeusing  on  Ihe  imporlanee 
of  Ihe  exael  faull  hypolheses  lhal  are  eonsidered  for  eaeh  algorilhm  and  on  Ihe  ways  in 
whieh  Ihe  differenl  algorilhms  inlerael.  I  also  indieale  teehniques  lhal  inerease  Ihe  amounl 


105 


of  automation  that  can  be  used  in  these  verifi  cations,  and  suggest  approaches  that  may  be 
useful  in  tackling  some  of  the  challenges  that  still  remain. 


2  Clock  Synchronization 

As  its  full  name  indicates,  the  Time-Triggered  Architecture  uses  the  passage  of  time  to 
schedule  its  activity  and  to  coordinate  its  distributed  components.  A  fault  tolerant  dis¬ 
tributed  clock  synchronization  algorithm  is  therefore  one  of  TTA’s  fundamental  elements. 

Host  computers  attach  to  TTA  through  an  interface  controller  that  implements  the 
TTP/C  protocol.  I  refer  to  the  combination  of  a  host  and  its  TTA  controller  as  a  node. 
Each  controller  contains  an  oscillator  from  which  it  derives  its  local  notion  of  time  (i.e.,  a 
clock).  Operation  of  TTA  is  driven  by  a  global  schedule,  so  it  is  important  that  the  local 
clocks  are  always  in  close  agreement.  Drift  in  the  oscillators  causes  the  various  local  clocks 
to  drift  apart  so  periodically  (several  hundred  times  a  second)  they  must  be  resynchronized. 
What  makes  this  diffi  cult  is  that  some  of  the  clocks  may  be  faulty. 

The  clock  synchronization  algorithm  used  in  TTA  is  a  modifi  cation  of  the  Welch-Lynch 
(also  known  as  Lundelius-Lynch)  algorithm  [78],  which  itself  can  be  understood  as  a  par¬ 
ticular  case  of  the  abstract  algorithm  described  by  Schneider  [66].  Schneider’s  abstract 
algorithm  operates  as  follows:  periodically,  the  nodes  decide  that  it  is  time  to  resynchro¬ 
nize  their  clocks,  each  node  determines  the  skews  between  its  own  clock  and  those  of  other 
nodes,  forms  a  fault-tolerant  average  of  these  values,  and  adjusts  its  own  clock  by  that 
amount. 

An  intuitive  explanation  for  the  general  approach  is  the  following.  After  a  resynchro¬ 
nization,  all  the  nonfaulty  clocks  will  be  close  together  (this  is  the  defi  nition  of  synchro¬ 
nization);  by  the  time  that  they  next  synchronize,  the  nonfaulty  clocks  may  have  drifted 
further  apart,  but  the  amount  of  drift  is  bounded  (this  is  the  defi  nition  of  a  good  clock);  the 
clocks  can  be  brought  back  together  by  setting  them  to  some  value  close  to  the  middle  of 
their  spread.  An  “ordinary  average”  (e.g.,  the  mean  or  median)  over  all  clocks  may  be  af¬ 
fected  by  wild  readings  from  faulty  clocks  (which,  under  a  Byzantine  fault  hypothesis,  may 
provide  different  readings  to  different  observers),  so  we  need  a  “fault-tolerant  average”  that 
is  insensitive  to  a  certain  number  of  readings  from  faulty  clocks. 

The  Welch-Lynch  algorithm  is  characterized  by  use  of  the.  fault-tolerant  midpoint  as  its 
averaging  function.  If  we  have  n  clocks  and  the  maximum  number  of  simultaneous  faults 
to  be  tolerated  is  k  (3 A:  <  n),  then  the  fault-tolerant  midpoint  is  the  average  of  the  k  -t-  I’st 
and  n  —  A:’th  clock  skew  readings,  when  these  are  arranged  in  order  from  smallest  to  largest. 
If  there  are  at  most  k  faulty  clocks,  then  some  reading  from  a  nonfaulty  clock  must  be  at 
least  as  small  as  the  A:  -f  I’st  reading,  and  the  reading  from  another  nonfaulty  clock  must  be 
at  least  as  great  as  the  n  —  A:’th;  hence,  the  average  of  these  two  readings  should  be  close  to 
the  middle  of  the  spread  of  readings  from  good  clocks. 

The  TTA  algorithm  is  basically  the  Welch-Lynch  algorithm  specialized  for  A:  =  1  (i.e., 
it  tolerates  a  single  fault):  that  is,  clocks  are  set  to  the  average  of  the  2nd  and  n  —  I’st 


106 


clock  readings  (i.e.,  the  second-smallest  and  second-largest).  This  algorithm  works  and 
tolerates  a  single  arbitrary  fault  whenever  n  >  4.  TTA  does  not  use  dedicated  wires  to 
communicate  clock  readings  among  the  nodes  attached  to  the  network;  instead,  it  exploits 
the  fact  that  communication  is  time  triggered  according  to  a  global  schedule.  When  a  node 
a  receives  a  message  from  a  node  b,  it  notes  the  reading  of  its  local  clock  and  subtracts  a 
fi  xed  correction  term  to  account  for  the  network  delay;  the  difference  between  this  adjusted 
clock  reading  and  the  time  for  6’s  transmission  that  is  indicated  in  the  global  schedule  yields 
a’s  perception  of  the  skew  between  clocks  a  and  b. 

Not  all  nodes  in  a  TTA  system  need  have  accurate  oscillators  (they  are  expensive),  so 
TTA’s  algorithm  is  modifi  ed  from  Welch-Lynch  to  use  only  the  clock  skews  from  nodes 
marked^  as  having  accurate  oscillators.  Analysis  and  verifi  cation  of  this  variant  can  be 
adapted  straightforwardly  from  that  of  the  basic  algorithm.  Unfortunately,  TTA  adds  an¬ 
other  complication. 

For  scalability,  an  implementation  on  the  Welch-Lynch  algorithm  should  use  data  struc¬ 
tures  that  are  independent  of  the  number  of  nodes — i.e.,  it  should  not  be  necessary  for  each 
node  to  store  the  clock  difference  readings  for  all  (accurate)  clocks.  Clearly,  the  second- 
smallest  clock  difference  reading  can  be  determined  with  just  two  registers  (one  to  hold  the 
smallest  and  another  for  the  second-smallest  reading  seen  so  far),  and  the  second-largest 
can  be  determined  similarly,  for  a  total  of  four  registers  per  node.  If  TTA  used  this  ap¬ 
proach,  verifi  cation  of  its  clock  synchronization  algorithm  would  follow  straightforwardly 
from  that  of  Welch-Lynch.  Instead,  for  reasons  that  are  not  described,  TTA  does  not  con¬ 
sider  all  the  accurate  clocks  when  choosing  the  second-smallest  and  second-largest,  but  just 
four  of  them. 

The  four  clocks  considered  for  synchronization  are  chosen  as  follows.  First,  TTA  is 
able  to  tolerate  more  than  a  single  fault  by  reconfi  guring  to  exclude  nodes  that  are  detected 
to  be  faulty.  This  is  accomplished  by  the  group  membership  algorithm  of  TTA,  which  is 
discussed  in  the  following  section.^  The  four  clocks  considered  for  synchronization  are 
chosen  from  the  members  of  the  current  membership;  it  is  therefore  essential  that  group 
membership  have  the  property  that  all  nonfaulty  nodes  have  the  same  members  at  all  times. 
Next,  each  node  maintains  a  queue  of  four  clock  readings^ ;  whenever  a  message  is  received 
from  a  node  that  is  in  the  current  membership  and  that  has  the  SYF  field  sef,  fhe  clock 
difference  reading  is  pushed  on  fo  fhe  receiving  node’s  queue  (ejecting  fhe  oldesf  reading 
in  fhe  queue).  Finally,  when  fhe  currenf  slof  has  fhe  synchronization  fi  eld  (CS)  sef  in  fhe 
MEDL,  each  node  runs  fhe  synchronization  algorifhm  using  fhe  four  clock  readings  stored 
in  ifs  queue. 

Formal  verifi  cation  of  fhe  TTA  algorifhm  requires  more  fhan  simply  verifying  a  four- 
clocks  version  of  fhe  basic  Welch-Lynch  algorifhm:  for  example,  fhe  chosen  clocks  can 

*By  having  the  SYF  fi  eld  set  in  the  MEDL  (the  global  schedule  known  to  all  nodes). 

node  whose  clock  loses  synchronization  will  suffer  send  and/or  receive  faults  and  will  therefore  be 
detected  and  excluded  by  the  group  membership  algorithm. 

^It  is  described  as  a  push-down  stack  in  the  TTP/C  specifi  cation  [75],  but  this  seems  to  be  an  error. 


107 


change  from  one  round  to  the  next.  However,  verifi  cation  of  the  basic  algorithm  provides  a 
foundation  for  the  TTA  case. 

Formal  verifi  cation  of  clock  synchronization  algorithms  has  quite  a  long  history,  be¬ 
ginning  with  Rushby  and  von  Henke’s  verification  [60]  of  the  interactive  convergence 
algorithm  of  Lamport  and  Melliar  Smith  [32];  this  is  similar  to  the  Welch-Lynch  algo¬ 
rithm,  except  that  the  egocentric  mean  is  used  as  the  fault-tolerant  average.  Shankar  [70] 
formally  verifi  ed  Schneider’s  absfracf  algorifhm  and  ifs  insfanfiafion  for  inferacfive  con¬ 
vergence.  This  formalization  was  subsequenfly  improved  by  Miner  (reducing  fhe  diffi  - 
cully  of  fhe  proof  obligations  needed  fo  esfablish  fhe  correclness  of  specifi  c  insfanliafions), 
who  also  verified  fhe  Welch-Lynch  inslanlialion  [38].  All  Ihese  verifications  were  un- 
derlaken  wilh  Ehdm  [61],  a  precursor  fo  PVS  [41].  The  frealmenf  developed  by  Miner 
was  franslafed  fo  PVS  and  generalized  (fo  admif  nonaveraging  algorifhms  such  as  fhaf  of 
Srikanfh  and  Toueg  [73]  fhaf  do  nol  conform  fo  Schneider’s  frealmenf)  by  Schwier  and  von 
Henke  [69].  This  frealmenf  was  Ihen  extended  fo  fhe  TTA  algorifhm  by  Pfeifer,  Schwier 
and  von  Henke  [45].  The  TTA  algorifhm  is  intended  fo  operale  in  nelworks  where  Ihere  are 
af  leasl  four  good  clocks,  and  if  is  able  fo  mask  any  single  faull  in  Ibis  circumslance.  Pfeifer, 
Schwier  and  von  Henke’s  verifi  cation  esfablishes  Ihis  properly.  Additional  challenges  still 
remain,  however. 

In  keeping  wilh  fhe  never  give  up  philosophy  fhaf  is  appropriale  for  safely-crilical  ap¬ 
plications,  TTA  should  remain  operational  wilh  less  lhan  four  good  clocks,  Ihough  “fhe 
requiremenl  fo  handle  a  Byzanline  faull  is  waived”  [75,  page  85].  If  would  be  valuable 
fo  characlerize  and  formally  verify  fhe  exacl  faull  lolerance  achieved  in  Ihese  cases.  One 
approach  fo  achieving  Ibis  would  be  fo  underlake  fhe  verifi  calion  in  fhe  conlexl  of  a  “hy¬ 
brid”  faull  model  such  as  fhaf  inlroduced  for  consensus  by  Thambidurai  and  Park  [74].  In 
a  pure  Byzanline  faull  model,  all  faulls  are  frealed  as  arbilrary:  nolhing  is  assumed  aboul 
fhe  behavior  of  faully  componenls.  A  hybrid  faull  model  inlroduces  additional,  conslrained 
kinds  of  faulls  and  Ihe  verifi  cation  is  extended  fo  examine  Ihe  behavior  of  Ihe  algorilhm 
concerned  under  combinations  of  several  faulls  of  differenl  kinds.  Thambidurai  and  Park’s 
model  augmenls  Ihe  Byzantine  or  arbitrary  faull  model  wilh  manifest  and  symmetric  faulls. 
A  manifesl  faull  is  one  lhal  is  consislenlly  deleclable  by  all  nonfaully  nodes;  a  symmel- 
ric  faull  is  unconslrained,  excepl  lhal  il  appears  Ihe  same  lo  all  nonfaully  nodes.  Rushby 
reinterpreted  Ibis  faull  model  for  clock  synchronization  and  extended  verifi  cation  of  Ihe  in¬ 
teractive  convergence  algorilhm  lo  Ibis  more  elaborate  faull  model  [49].  He  showed  lhal  Ihe 
interactive  convergence  algorilhm  wilh  n  nodes  can  wilhsland  a  arbilrary,  s  symmelric,  and 
m  manifesl  faulls  simullaneously,  provided  n  >  3a  +  2s  +  m.  Thus,  a  Ihree-clock  system 
using  Ihis  algorilhm  can  wilhsland  a  symmelric  faull  or  Iwo  manifesl  faulls. 

Rushby  also  extended  Ibis  analysis  lo  link  faulls,  which  can  be  considered  as  asymmel- 
ric  and  possibly  inlermillenl  manifesl  faulls  (i.e.,  node  a  may  oblain  a  correcl  reading  of 
node  6’s  clock  while  node  c  oblains  a  deleclably  faully  reading).  The  faull  lolerance  of  Ihe 
algorilhm  is  Ihen  n>  3a  +  2s +  m  +  l  where  I  is  Ihe  maximum,  over  all  pairs  of  nodes,  of 
Ihe  number  of  nodes  lhal  have  faully  links  lo  one  or  olher  of  Ihe  pair. 


108 


It  would  be  interesting  to  extend  formal  verifi  eation  of  the  TTA  algorithm  to  this  fault 
model.  Not  only  would  this  enlarge  the  analysis  to  eases  where  fewer  than  three  good  eloeks 
remain,  but  it  eould  also  provide  a  mueh  simpler  way  to  deal  with  the  peeuliarities  of  the 
TTA  algorithm  (i.e.,  its  use  of  queues  of  just  four  eloeks).  Instead  of  explieitly  modeling 
properties  of  the  queues,  we  eould,  under  a  fault  model  that  admits  link  faults,  imagine  that 
the  queues  are  larger  and  eontain  eloek  differenee  readings  from  the  full  set  of  nodes,  but 
that  link  faults  reduee  the  number  of  valid  readings  aetually  present  in  eaeh  queue  to  four 
(this  idea  was  suggested  by  Holger  Pfeifer).  A  reeent  paper  by  Sehmid  [64]  eonsiders  link 
faults  for  eloek  synehronization  in  a  very  general  setting,  and  establishes  bounds  on  fault 
toleranee  for  both  the  Weleh-Lyneh  and  Srikanth-Toueg  algorithms  and  I  believe  this  would 
be  an  exeellent  foundation  for  a  eomprehensive  verifi  eation  of  the  TTA  algorithm. 

All  the  formal  verifi  eafions  of  eloek  synehronizafions  menfioned  above  are  “brufe 
foree”:  fhey  are  essenfially  meehanized  reproduefions  of  proofs  originally  underfaken  by 
hand.  The  proofs  depend  heavily  on  arifhmefie  reasoning  and  ean  be  formalized  af  rea¬ 
sonable  eosf  only  wifh  fhe  aid  of  verifi  eafion  sysfems  fhaf  provide  effeefive  meehanizafion 
for  arifhmefie,  sueh  as  PVS.  Even  fhese  sysfems,  however,  fypieally  meehanize  only  linear 
arifhmefie  and  require  fediously  many  human-direefed  proof  sfeps  (or  numerous  inferme- 
diafe  lemmas)  fo  verify  fhe  formulas  fhaf  arise  in  eloek  synehronizafion.  The  new  ICS 
decision  procedures  [16]  developed  for  PVS  include  (incomplefe)  extensions  fo  nonlinear 
producfs  and  if  will  be  inferesfing  fo  explore  fhe  exfenl  fo  which  such  extensions  simplify 
formal  verifi  eafion  of  clock  synehronizafion  algorifhms.'^  Even  if  all  fhe  arilhmefic  rea¬ 
soning  were  complefely  aufomafed,  currenf  approaches  fo  formal  verifi  eafion  of  clock  syn- 
chronizafion  algorifhms  sfill  depend  heavily  on  human  insighf  and  guidance.  The  problem 
is  fhaf  fhe  synehronizafion  properfy  is  nof  inducfive:  if  musf  be  sfrengfhened  by  fhe  con- 
juncfion  of  several  ofher  properfies  fo  achieve  a  properly  fhaf  is  inducfive.  These  additional 
properties  are  infricafe  arilhmefic  slalemenls  whose  invention  seems  fo  require  considerable 
human  insighf.  If  would  be  inferesfing  fo  see  if  modern  melhods  for  invarianl  discovery  and 
slrenglhening  [6,7,76]  can  generate  some  of  fhese  automatically,  or  if  fhe  need  for  Ihem 
could  be  sidestepped  using  reachabilily  analysis  on  linear  hybrid  aulomala. 

All  fhe  verifi  eafions  described  above  deal  wifh  fhe  sleady-slale  case;  inilial  synchro- 
nizalion  is  quile  a  differenl  challenge.  Nole  fhaf  (re)inilializalion  may  be  required  during 
operalion  if  fhe  system  suffers  a  massive  failure  (e.g.,  due  to  powerful  eleclromagnelic  ef- 
fecfs),  so  if  musf  be  fasl.  The  basic  idea  is  fhaf  a  node  fhaf  delecls  no  activity  on  fhe  bus  for 
some  time  will  assume  fhaf  inilializalion  is  required  and  if  will  broadcasl  a  wakeup  mes¬ 
sage:  nodes  fhaf  receive  fhe  message  will  synchronize  to  if.  Of  course,  ofher  nodes  may 
make  fhe  same  determination  af  aboul  fhe  same  lime  and  may  send  wakeup  messages  fhaf 
collide  wifh  olhers.  In  fhese  cases,  nodes  back  off  for  (differenl)  node-specifi  c  infervals 
and  fry  again.  However,  if  is  diffi  cull  fo  delecl  collisions  wifh  perfecl  accuracy  and  simple 
algorifhms  can  lead  to  existence  of  groups  of  nodes  synchronized  wilhin  Ihemselves  bul  un¬ 
i'll  is  not  enough  to  mechanize  real  arithmetic  on  its  own;  it  must  be  combined  with  inequalities,  integer 
linear  arithmetic,  equality  over  uninterpreted  function  symbols  and  several  other  theories  [50]. 


109 


aware  of  the  existenee  of  the  other  groups.  All  of  these  eomplieations  must  be  addressed  in 
a  eontext  where  some  nodes  are  faulty  and  may  not  be  following  (indeed,  may  be  aetively 
disrupting)  the  intended  algorithm.  The  latest  version  of  TTA  uses  a  star  topology  and 
the  initialization  algorithm  is  being  revised  to  exploit  some  additional  safeguards  that  the 
eentral  guardian  makes  possible  [42].  Verifieation  of  initialization  algorithms  is  ehalleng- 
ing  beeause,  as  elearly  explained  in  [42],  the  essential  purpose  of  sueh  an  algorithm  is  to 
eause  a  transition  between  two  models  of  eomputation:  from  asynehronous  to  synehronous. 
Formal  explieation  of  this  issue,  and  verifi  eation  of  the  TTA  initialization  algorithm,  are 
worthwhile  endeavors  for  the  future. 


3  Transmission  Window  Timing 

Synehronized  eloeks  and  a  global  sehedule  ensure  that  nonfaulty  nodes  broadeast  their  mes¬ 
sages  in  disjoint  time  slots:  messages  sent  by  nonfaulty  nodes  are  guaranteed  not  to  eollide 
on  the  bus.  A  faulty  node,  however,  eould  broadeast  at  any  time — it  eould  even  broadeast 
eonstantly  (the  babbling  failure  mode).  This  fault  is  eountered  by  use  of  a  separate  fault 
eontainment  unit  ealled  a  guardian  that  has  independent  knowledge  of  the  time  and  the 
sehedule:  a  message  sent  by  one  node  will  reaeh  others  only  if  the  guardian  agrees  that  it  is 
indeed  seheduled  for  that  time. 

Now,  the  sending  node,  the  guardian,  and  eaeh  reeeiving  node  have  synehronized 
eloeks,  but  there  must  be  some  slaek  in  the  time  window  they  assign  to  eaeh  slot  so  that 
good  messages  are  not  truneated  or  rejeeted  due  to  eloek  skew  within  the  bounds  guaran¬ 
teed  by  the  synehronization  algorithm.  The  design  rules  used  in  TTA  are  the  following, 
where  11  is  the  maximum  eloek  skew  between  synehronized  eomponents. 

•  The  reeeive  window  extends  from  the  beginning  of  the  slot  to  4  If  beyond  its  allotted 
duration. 

•  Transmission  begins  2  If  units  after  the  beginning  of  the  slot  and  should  last  no  longer 
than  the  allotted  duration. 

•  The  bus  guardian  for  a  transmitter  opens  its  window  11  units  after  the  beginning  of 
the  slot  and  eloses  it  3 11  beyond  its  allotted  duration. 

These  rules  are  intended  to  ensure  the  following  requirements. 

Agreement:  If  any  nonfaulty  node  aeeepts  a  transmission,  then  all  nonfaulty  nodes  do. 

Validity:  If  any  nonfaulty  node  transmits  a  message,  then  all  nonfaulty  nodes  will  aeeept 
the  transmission. 

Separation:  messages  sent  by  nonfaulty  nodes  or  passed  by  nonfaulty  guardians  do  not 
arrive  before  other  eomponents  have  fi  nished  the  previous  slot,  nor  after  they  have 
started  the  following  one. 


110 


Formal  specifi  cation  and  verifi  cation  of  these  properties  is  a  relatively  straightforward 
exercise.  Description  of  a  formal  treatment  using  PVS  is  available  as  a  technical  report  [57]. 


4  Group  Membership 

The  clock  synchronization  algorithm  tolerates  only  a  single  (arbitrary)  fault.  Additional 
faults  are  tolerated  by  diagnosing  the  faulty  node  and  reconti  guring  to  exclude  it.  This 
diagnosis  and  reconti  guration  is  performed  by  the  group  membership  algorithm  of  TTA, 
which  ensures  that  each  TTA  node  has  a  record  of  which  nodes  are  currently  participating 
correctly  in  the  TTP/C  protocol.  In  addition  to  supporting  the  internal  fault  tolerance  of 
TTA,  membership  information  is  made  available  as  a  service  to  applications;  this  supports 
the  construction  of  relatively  simple,  but  correct,  strategies  for  tolerating  faults  at  the  ap¬ 
plication  level.  For  example,  in  an  automobile  brake-by-wire  application,  the  node  at  each 
wheel  can  adjust  its  braking  force  to  compensate  for  the  failure  (as  indicated  in  the  mem¬ 
bership  information)  of  the  node  or  brake  at  another  wheel.  For  such  strategies  to  work, 
it  is  obviously  necessary  that  the  membership  information  should  be  reliable,  and  that  the 
application  state  of  nonmembers  should  be  predictable  (e.g.,  the  brake  is  fully  released). 

Group  membership  is  a  distributed  algorithm:  each  node  maintains  a  private  member¬ 
ship  list,  which  records  all  the  nodes  that  it  believes  to  be  nonfaulty.  Reliability  of  the 
membership  information  is  characterized  by  the  following  requirements. 

Agreement:  The  membership  lists  of  all  nonfaulty  nodes  are  the  same. 

Validity:  The  membership  lists  of  all  nonfaulty  nodes  contain  all  nonfaulty  nodes  and  at 
most  one  faulty  node  (we  cannot  require  immediate  removal  of  faulty  nodes  because 
a  fault  must  be  manifested  before  it  can  be  diagnosed). 

These  requirements  can  be  satisfi  ed  only  under  restricted  fault  hypotheses.  For  example, 
validity  cannot  be  satisfi  ed  if  new  faults  arrive  too  rapidly,  and  it  is  provably  impossible  to 
diagnose  an  arbitrary-faulty  node  with  certainty.  When  unable  to  maintain  accurate  mem¬ 
bership,  the  best  recourse  is  to  maintain  agreement,  but  sacrifi  ce  validity.  This  weakened 
requirement  is  called  clique  avoidance. 

Two  additional  properties  also  are  desirable  in  a  group  membership  algorithm. 

Self-diagnosis:  faulty  nodes  eventually  remove  themselves  from  their  own  membership 
lists  and  fail  silently  (i.e.,  cease  broadcasting). 

Reintegration:  it  should  be  possible  for  excluded  but  recovered  nodes  to  determine  the 
current  membership  and  be  readmitted. 

TTA  operates  as  a  broadcast  bus  (even  though  the  recent  versions  are  stars  topologi¬ 
cally);  the  global  schedule  executes  as  a  repetitive  series  of  rounds,  and  each  node  is  al¬ 
located  a  broadcast  slot  in  each  round.  The  fault  hypothesis  of  the  membership  algorithm 


111 


is  a  benign  one:  faults  must  arrive  two  or  more  rounds  apart,  and  must  be  symmetrie  in 
their  manifestations:  either  all  or  exaetly  one  node  may  fail  to  reeeive  a  broadeast  message 
(the  former  is  ealled  a  send  fault,  the  latter  a  receive  fault).  The  membership  requirements 
would  be  relatively  easy  to  satisfy  if  eaeh  node  were  to  attaeh  a  eopy  of  its  membership  list 
to  eaeh  message  that  it  broadeasts.  Unfortunately,  sinee  messages  are  typieally  very  short, 
this  would  use  rather  a  lot  of  bandwidth  (and  bandwidth  was  a  preeious  eommodity  in  early 
implementations  of  TTA),  so  the  algorithm  must  operate  with  less  explieit  information  and 
nodes  must  infer  the  state  and  membership  of  other  nodes  through  indireet  means.  This 
operates  as  follows. 

Eaeh  aetive  TTA  node  maintains  a  membership  list  of  those  nodes  (ineluding  itself) 
that  it  believes  to  be  aetive  and  operating  eorreetly.  Eaeh  node  listens  for  messages  from 
other  nodes  and  updates  its  membership  list  aeeording  to  the  information  that  it  reeeives. 
The  time-triggered  nature  of  the  protoeol  means  that  eaeh  node  knows  when  to  expeet  a 
message  from  another  node,  and  it  ean  therefore  deteet  the  absenee  of  sueh  a  message. 
Each  message  carries  a  CRC  checksum  that  encodes  information  about  its  sender’s  C-State, 
which  includes  its  local  membership  list.  To  infer  the  local  membership  of  the  sender  of 
a  message,  receivers  must  append  their  estimate  of  that  membership  (and  other  C-state 
information)  to  the  message  and  then  check  whether  the  calculated  CRC  matches  that  sent 
with  the  message.  It  is  not  feasible  (or  reliable)  to  try  all  possible  memberships,  so  receivers 
perform  the  check  against  just  their  own  local  membership,  and  one  or  two  variants. 

Transmission  faults  are  detected  as  follows:  each  broadcaster  listens  for  the  message 
from  its  first  successor  (roughly  speaking,  this  will  be  the  next  node  to  broadcast)  to  check 
whether  it  suffered  a  transmission  fault:  this  will  be  indicated  by  its  exclusion  from  the 
membership  list  of  the  message  from  its  fi  rst  successor.  However,  this  indication  is  am¬ 
biguous:  it  could  be  the  result  of  a  transmission  fault  by  the  original  broadcaster,  or  of  a 
receive  fault  by  the  successor.  Nodes  use  the  local  membership  carried  by  the  message  from 
their  second  successor  to  resolve  this  ambiguity:  a  membership  that  excludes  the  original 
broadcaster  but  includes  the  first  successor  indicates  a  transmission  fault  by  the  original 
broadcaster,  and  one  that  includes  the  original  broadcaster  but  excludes  the  fi  rsf  successor 
indicafes  a  receive  faulf  by  fhe  fi  rsf  successor. 

Nodes  fhaf  suffer  receive  faulfs  could  diagnose  fhemselves  in  a  similar  way:  fheir  local 
membership  lisfs  will  differ  from  fhose  of  nonfaulfy  nodes,  so  fheir  nexf  broadcasf  will  be 
rejected  by  bofh  fheir  successors.  However,  fhe  algorifhm  acfually  performs  fhis  diagnosis 
differenfly.  Each  node  mainfains  accept  and  reject  counters  fhaf  are  initialized  fo  1  and  0, 
respecfively,  following  ifs  own  broadcasf.  Incoming  messages  fhaf  indicafe  a  membership 
mafching  fhaf  of  fhe  receiver  cause  fhe  receiver  fo  incremenf  ifs  accepf  counf;  ofhers  (i.e., 
fhose  fhaf  indicafe  a  differenf  membership  or  fhaf  are  considered  invalid  for  ofher  reasons) 
cause  if  fo  incremenf  ifs  rejecf  counf.  Before  broadcasfing,  each  node  compares  ifs  accepf 
and  rejecf  counfs  and  shufs  down  unless  fhe  former  is  greater  fhan  fhe  laffer. 

Eormal  verifi  cafion  of  fhis  algorifhm  is  diffi  culf.  We  wish  fo  prove  fhaf  agreemenf  and 
validify  are  invarianfs  of  fhe  algorifhm  (i.e.,  fhey  are  frue  of  all  reachable  slates),  bul  if  is 


112 


diffi  cult  to  do  this  directly  (because  it  is  hard  to  characterize  the  reachable  states).  So,  in¬ 
stead,  we  try  to  prove  a  stronger  property:  namely,  that  agreement  and  validity  are  inductive 
(that  is,  true  of  the  initial  states  and  preserved  by  all  steps  of  the  algorithm).  The  general 
problem  with  this  approach  to  verifi  cation  of  safety  properties  of  distributed  algorithms  is 
that  natural  statements  of  the  properties  of  interest  are  seldom  inductive.  Instead,  it  is  nec¬ 
essary  to  strengthen  them  by  conjoining  additional  properties  until  they  become  inductive. 
The  additional  properties  typically  are  discovered  by  examining  failed  proofs  and  require 
human  insight. 

Before  details  of  the  TTA  group  membership  algorithm  were  known,  Katz,  Lincoln, 
and  Rushby  published  a  different  algorithm  for  a  similar  problem,  together  with  an  infor¬ 
mal  proof  of  its  correctness  [23]  (I  will  call  this  the  “WDAG”  algorithm).  A  flaw  in  this 
algorithm  for  the  special  case  of  three  nodes  was  discovered  independently  by  Shankar  and 
by  Creese  and  Roscoe  [12]  and  considerable  effort  was  expended  in  attempts  to  formally 
verify  the  corrected  version.  A  suitable  method  was  found  by  Rushby  [53]  who  used  it  to 
formally  verify  the  WDAG  algorithm,  but  used  a  simplifi  ed  algorithm  (called  the  “CAV” 
algorithm)  to  explicate  the  method  in  [53].  The  method  is  based  on  strengthening  a  putative 
safety  property  into  a  disjunction  of  “confi  gurations”  that  can  easily  be  proved  to  be  induc¬ 
tive.  Conti  gurations  can  be  constructed  systematically  and  transitions  among  them  have  a 
natural  diagrammatic  representation  that  conveys  insight  into  the  operation  of  the  algorithm. 
Pfeifer  subsequently  used  this  method  to  verify  validity,  agreement,  and  self-diagnosis  for 
the  full  TTA  membership  algorithm  [44]  (verifi  cation  of  self-diagnosis  is  not  described  in 
the  paper). 

Although  the  method  just  described  is  systematic,  it  does  require  considerable  human 
interaction  and  insight,  so  more  automatic  methods  are  desirable.  All  the  group  member¬ 
ship  algorithms  mentioned  (CAV,  WDAG,  TTA)  are  n-process  algorithms  (so-called  pa¬ 
rameterized  systems),  so  one  attractive  class  of  methods  seeks  to  reduce  the  general  case  to 
some  fi  xed  confi  guration  (say  four  processes)  of  an  abstracted  algorithm  that  can  be  model 
checked.  Creese  and  Roscoe  [12]  report  an  investigation  along  these  lines  for  the  WDAG 
algorithm.  The  diffi  culfy  in  such  approaches  is  fhaf  proving  fhaf  fhe  absfracfed  algorifhm  is 
faifhful  fo  fhe  original  is  often  as  hard  as  fhe  direcf  proof. 

An  alfernafive  is  fo  construct  fhe  abslracfed  algorifhm  using  automated  fheorem  proving 
so  fhaf  fhe  resulf  is  guaranfeed  fo  be  sound,  buf  possibly  loo  conservative.  These  melhods 
are  widely  used  for  predicafe  [62]  and  dala  [11]  absfraclion  (bofh  melhods  are  implemented 
in  PVS  using  a  generalizalion  of  fhe  lechnique  described  in  [63]),  and  have  been  applied 
fo  n-process  examples  [71].  The  precision  of  an  absfraclion  is  delermined  by  fhe  guidance 
provided  to  fhe  calculalion  (e.g.,  which  predicates  to  abslracl  on)  and  by  fhe  power  of  fhe 
aulomaled  deduclion  melhods  fhaf  are  employed.^  The  logic  called  WSIS  is  very  attractive 
in  Ibis  regard,  because  if  is  very  expressive  (if  can  represenl  arilhmelic  and  sel  operations  on 
infegers)  and  if  is  decidable  [14].  The  melhod  implemented  in  fhe  PAX  tool  [4,5]  performs 

^In  this  context,  automated  deduction  methods  are  used  in  a  failure-tolerant  manner,  so  that  if  the  methods 
fail  to  prove  a  true  theorem,  the  resulting  abstraction  will  be  sound,  but  more  conservative  than  necessary. 


113 


automated  abstraction  of  parameterized  specifi  cations  modeled  in  WS  IS.  Application  of  the 
tool  to  the  CAV  group  membership  protocol  is  described  on  the  PAX  web  page  at  http :  /  / 
WWW .  inf  ormat  ik  .uni-kiel.de/~kba/pax/  examples  .  html.  The  abstraction  yields 
a  fi  nite-state  system  that  can  be  examined  by  model  checking.  I  conjecture  that  extension 
of  this  method  to  the  TTA  algorithm  may  prove  diffi  cult  because  the  counters  used  in  that 
algorithm  add  an  extra  unbounded  dimension. 

The  design  of  TTA  (and  particularly  of  the  central  guardian)  is  intended  to  minimize  vi¬ 
olations  of  the  benign  fault  hypothesis  of  the  group  membership  algorithm.  But  we  cannot 
guarantee  absence  of  such  violations,  so  the  membership  algorithm  is  buttressed  by  a  clique 
avoidance  algorithm  (it  would  better  be  called  a  clique  elimination  algorithm)  that  sacrifi  ces 
validity  but  maintains  agreement  under  weakened  fault  hypotheses.  Clique  avoidance  is  ac¬ 
tually  a  subalgorithm  of  the  membership  algorithm:  it  comprises  just  the  part  that  manages 
the  accept  and  reject  counters  and  that  causes  a  node  to  shut  down  prior  to  a  broadcast  un¬ 
less  its  accept  count  exceeds  its  reject  count  at  that  point.  The  clique  avoidance  algorithm 
can  be  analyzed  either  in  isolation  or,  more  accurately,  in  the  presence  of  the  rest  of  the 
membership  algorithm  (this  is,  the  part  that  deals  with  the  fi  rst  and  second  successor). 

Beyond  the  benign  fault  hypothesis  lie  asymmetric  faults  (where  more  than  one  but  less 
than  all  nodes  fail  to  receive  a  broadcast  correctly),  and  multiple  faults,  which  are  those 
that  arrive  less  than  two  rounds  apart.  These  hypotheses  all  concern  loss  of  messages;  ad¬ 
ditional  hypotheses  include  processor  faults,  where  nodes  fail  to  follow  the  algorithm,  and 
transient  faults,  where  nodes  have  their  state  corrupted  (e.g.,  by  high-intensity  radiation) 
but  otherwise  follow  the  algorithm  correctly. 

Bauer  and  Paulitsch  [3]  describe  the  clique  avoidance  algorithm  and  give  an  informal 
proof  that  it  tolerates  a  single  asymmetric  fault.  Their  analysis  includes  the  effects  of  the  rest 
of  the  membership  algorithm.  Bouajjani  and  Merceron  [8]  prove  that  the  clique  avoidance 
algorithm,  considered  in  isolation,  tolerates  multiple  asymmetric  faults;  they  also  describe 
an  abstraction  for  the  n-node,  A:-faults  parameterized  case  that  yields  a  counter  automaton. 
Reachability  is  decidable  for  this  class  of  systems,  and  experiments  are  reported  with  two 
automated  verifi  ers  for  the  A:  =  1  case. 

For  transient  faults,  I  conjecture  that  the  most  appropriate  framework  for  analysis  is 
that  of  self-stabilization  [68].  An  algorithm  is  said  to  be  self-stabilizing  if  it  converges  to 
a  stable  “good”  state  starting  from  an  arbitrary  initial  state.  The  arbitrary  initial  state  can 
be  one  caused  by  an  electromagnetic  upset  (e.g.,  that  changes  the  values  of  the  accept  and 
reject  counters),  or  by  other  faults  outside  the  benign  fault  hypotheses. 

An  attractive  treatment  of  self-stabilization  is  provided  by  the  “Detectors  and  Correc¬ 
tors”  theory  of  Arora  and  Kulkarni.  The  full  theory  [2,  31]  is  comprehensive  and  more 
than  is  needed  for  my  purposes,  so  I  present  a  simplifi  ed  and  slightly  modifi  ed  version  that 
adapts  the  important  insights  of  the  original  formulation  to  the  problem  at  hand. 

We  assume  some  “base”  algorithm  M  whose  purpose  is  to  maintain  an  invariant  S:  that 
is,  if  the  (distributed)  system  starts  in  a  state  satisfying  the  predicate  5,  then  execution  of  M 
will  maintain  that  property.  In  our  case,  M  is  the  TTA  group  membership  algorithm,  and  S 


114 


is  the  conjunction  of  the  agreement  and  validity  properties.  M  corresponds  to  what  Arora 
and  Kulkarni  call  the  “fault-intolerant”  program,  but  in  our  context  it  is  actually  a  fault- 
tolerant  algorithm  in  its  own  right.  This  aspect  of  the  system’s  operation  can  be  specifi  ed 
by  the  Hoare  formula 

{S}M\\F{S} 

where  F  is  a  “fault  injector”  that  characterizes  the  fault  hypothesis  of  the  base  algorithm 
and  M\\F  denotes  the  concurrent  execution  of  M  and  F. 

Now,  a  transient  fault  can  take  the  system  to  some  state  not  satisfying  S,  and  at  this 
point  our  hope  is  that  a  “corrector”  algorithm  C  will  take  over  and  somehow  cause  the 
system  to  converge  to  a  state  satisfying  S,  where  the  base  algorithm  can  take  over  again. 
We  can  represent  this  by  the  following  formula 

C  ^  05 

where  O  is  the  eventually  modality  of  temporal  logic. 

In  our  case,  C  is  the  TTA  clique  avoidance  algorithm.  So  far  we  have  treated  M  and  C 
separately  but,  as  noted  previously,  they  must  actually  run  concurrently,  so  we  really  require 

{S}C\\M\\F{S} 

and 

CIIMIIF  ^  OS. 

The  presence  of  F  in  the  last  of  these  represents  the  fact  that  although  the  disturbance  that 
took  the  system  to  an  arbitrary  state  is  assumed  to  have  passed  when  convergence  begins, 
the  standard,  benign  fault  hypothesis  still  applies. 

To  ensure  the  fi  rst  of  these  formulas,  we  need  that  C  does  not  interfere  with  M — that 

is,  that  (71  |M  behaves  the  same  as  M  (and  hence  (7| |M| jF  behaves  the  same  as  M\\F).  A 
very  direct  way  to  ensure  this  is  for  C  actually  to  be  a  subalgorithm  of  M — for  then  (7|  |M 
is  the  same  as  M.  As  we  have  already  seen  later,  this  is  the  case  in  TTA,  where  the  clique 
avoidance  algorithm  is  just  a  part  of  the  membership  algorithm. 

A  slight  additional  complication  is  that  the  corrector  may  not  be  able  to  restore  the 
system  to  the  ideal  condition  characterized  by  S,  but  only  to  some  “safe”  approximation  to 

it,  characterized  by  S'.  This  is  the  case  in  TTA,  where  clique  avoidance  sacrifi  ces  validity. 
Our  formulas  therefore  become  the  following. 


{S}C\\M\\F{S} 

(1) 

{5'}  CIIMIIF  {S'  V  S},  and  S  D  S' 

(2) 

CIIMIIF  ^  OS'. 

(3) 

115 


The  challenge  is  formally  to  verify  these  three  formulas.  Concretely,  (1)  is  accom¬ 
plished  for  TTA  by  Pfeifer’s  verifi  cation  [44]  (and  potentially,  in  more  automated  form,  by 
extensions  to  the  approaches  of  [4, 8]),  (2)  should  require  little  more  than  an  adjustment  to 
those  proofs,  and  the  hard  case  is  (3).  Bouajjani  and  Merceron’s  analysis  [8]  can  be  seen  as 
establishing 

C  h  OS' 

for  the  restricted  case  where  the  arbitrary  initial  state  is  one  produced  by  the  occurrence  of 
multiple,  possibly  asymmetric  faults  in  message  transmission  or  reception.  The  general  case 
must  consider  the  possibility  that  the  initial  state  is  produced  by  some  outside  disturbance 
that  sets  the  counters  and  flags  of  the  algorithm  to  arbitrary  values  (I  have  formally  verifi  ed 
this  case  for  a  simplifi  ed  algorithm),  and  must  also  consider  the  presence  of  M  and  F. 
Formal  verifi  cation  of  this  general  case  is  an  interesting  challenge  for  the  future.  Kulkarni 
[30,31]  has  formally  specified  and  verified  the  general  detectors  and  correctors  theory  in 
PVS,  and  this  provides  a  useful  framework  in  which  to  develop  the  argument. 

A  separate  topic  is  to  examine  the  consequences  of  giving  up  validity  in  order  to  main¬ 
tain  agreement  under  the  clique  avoidance  algorithm.  Under  the  never  give  up  philosophy, 
it  is  reasonable  to  sacrifi  ce  one  property  rather  than  lose  all  coordination  when  the  standard 
fault  hypothesis  is  violated,  but  some  useful  insight  may  be  gained  through  an  attempt  to 
formally  characterize  the  possible  behaviors  in  these  cases. 

Reintegration  has  so  far  been  absent  from  the  discussion.  A  node  that  diagnoses  a 
problem  in  its  own  operation  will  drop  out  of  the  membership,  perform  diagnostic  tests  and, 
if  these  are  satisfactory  (indicating  that  the  original  fault  was  a  transient  event),  attempt  to 
reintegrate  itself  into  the  running  system.  This  requires  that  the  node  fi  rst  (re)synchronizes 
its  clock  to  the  running  system,  then  acquires  the  current  membership,  and  then  “speaks 
up”  at  its  next  slot  in  the  schedule.  There  are  potential  diffi  culties  here:  for  example,  a 
broadcast  by  a  node  a  may  be  missed  by  a  node  b  whose  membership  is  used  to  initialize  a 
reintegrating  node  c;  rejection  of  its  message  by  b  and  c  then  causes  the  good  node  a  to  shut 
down.  This  scenario  is  excluded  by  the  requirement  that  a  reintegrating  node  must  correctly 
receive  a  certain  number  of  messages  before  it  may  broadcast  itself.  Formal  examination  of 
reintegration  scenarios  is  another  interesting  challenge  for  the  future. 

5  Interaction  of  Clock  Synchronization  and  Group  Member¬ 
ship 

Previous  sections  considered  clock  synchronization  and  group  membership  in  isolation  but 
noted  that,  in  reality,  they  interact:  synchronization  depends  on  membership  to  eliminate 
nodes  diagnosed  as  faulty,  while  membership  depends  on  synchronization  to  create  the 
time-triggered  round  structure  on  which  its  operation  depends.  Mutual  dependence  of  com¬ 
ponents  on  the  correct  operation  of  each  other  is  generally  formalized  in  terms  of  assume- 
guarantee  reasoning,  fi  rst  introduced  by  Chandy  and  Misra  [39]  and  Jones  [22].  The  idea  is 


116 


to  show  that  component  Xi  guarantees  certain  properties  Pi  on  the  assumption  that  com¬ 
ponent  X2  delivers  certain  properties  P2,  and  vice  versa  for  X2,  and  then  claim  that  the 
composition  of  Xi  and  X2  guarantees  Pi  and  P2  unconditionally.  This  kind  of  reasoning 
appears — and  indeed  is — circular  in  that  Xi  depends  on  X2  and  vice  versa.  The  circularity 
can  lead  to  unsoundness  and  there  has  been  much  research  on  the  formulation  of  rules  for 
assume-guarantee  reasoning  that  are  both  sound  and  useful.  Different  rules  may  be  com¬ 
pared  according  to  the  kinds  of  system  models  and  specifi  cation  they  support,  the  extent 
to  which  they  lend  themselves  to  mechanized  analysis,  and  the  extent  to  which  they  are 
preserved  under  refi  nement  (i.e.,  the  circumstances  under  which  Xi  can  be  replaced  by  an 
implementation  that  may  do  more  than  Xi). 

Closer  examination  of  the  circular  dependency  in  TTA  reveals  that  it  is  not  circular  if 
the  temporal  evolution  of  the  system  is  taken  into  consideration:  clock  synchronization  in 
round  t  depends  on  group  membership  in  round  f  —  1,  which  in  turn  depends  on  clock  syn¬ 
chronization  in  round  t  —  2  and  so  on.  McMillan  [37]  has  introduced  an  assume-guarantee 
mle  that  seems  appropriate  to  this  case.  McMillan’s  rule  can  be  expressed  as  follows,  where 
P  is  a  “helper”  property  (which  can  be  simply  true),  □  is  the  “always”  modality  of  Linear 
Temporal  Logic  (LTL),  and  p  \>  q  {“  p  constrains  q”)  means  that  if  p  is  always  true  up  to 
time  t,  then  q  holds  at  time  f  -f  1  (i.e.,  p  fails  before  q),  where  we  interpret  time  as  rounds. 

{H)Xi{P2>Pi) 

{H)X2{Pi>P2)  (4) 

(P)  X1IIX2  (□(PiAP2)> 

Notice  that  pt>q  can  be  written  as  the  LTL  formula  -■(p  U  ^q),  where  U  is  the  LTL  “un¬ 
til”  operator.  This  means  that  the  antecedent  formulas  can  be  established  by  LTL  model 
checking  if  the  transition  relations  for  Xi  and  X2  are  fi  nite. 

I  believe  the  soundness  of  the  circular  interaction  between  the  clock  synchronization 
and  group  membership  algorithms  of  TTA  can  be  formally  verifi  ed  using  McMillan’s  rule. 
To  carry  this  out,  we  need  to  import  the  proof  rule  (4)  into  the  verification  framework 
employed — and  for  this  we  probably  need  to  embed  the  semantics  of  the  rule  into  the  spec¬ 
ifi  cation  language  concerned.  McMillan’s  presentation  of  the  rule  only  sketches  the  argu¬ 
ment  for  its  soundness;  a  more  formal  treatment  is  given  by  Namjoshi  and  Trefler  [40],  but  it 
is  not  easy  reading  and  does  not  convey  the  basic  intuition.  Rushby  [56]  presents  an  embed¬ 
ding  of  LTL  in  the  PVS  specifi  cation  language  and  formally  verifi  es  fhe  soundness  of  fhe 
rule.  The  specifi  cafion  and  proof  are  surprisingly  shorf  and  provide  a  good  demonsfrafion 
of  fhe  power  and  convenience  of  fhe  PVS  language  and  proven 

Using  Ibis  foundation  fo  verify  fhe  inferacfion  befween  fhe  clock  synchronizafion  and 
group  membership  algorifhms  of  TTA  remains  a  challenge  for  fhe  fulure.  Observe  fhaf  such 
an  application  of  assume-guaranlee  reasoning  has  rafher  an  unusual  character:  convenfion- 
ally,  fhe  componenfs  in  assume-guaranlee  reasoning  are  viewed  as  separale,  peer  processes, 
whereas  here  Ihey  are  dislribuled  algorifhms  lhal  form  pari  of  a  protocol  hierarchy  (wilh 
membership  above  synchronizafion). 


117 


6  Emergent  Properties 


Clock  synchronization,  transmission  window  timing,  and  group  membership  are  important 
properties,  but  what  makes  TTA  useful  are  not  the  individual  properties  of  its  constituent 
algorithms,  but  the  emergent  properties  that  come  about  through  their  combination.  These 
emergent  properties  are  understood  by  the  designers  and  advocates  of  TTA,  but  they  have 
not  been  articulated  formally  in  ways  that  are  fully  satisfactory,  and  I  consider  this  the  most 
important  and  interesting  of  the  tasks  that  remain  in  the  formal  analysis  of  TTA. 

I  consider  the  three  “top  level”  properties  of  TTA  to  be  the  time-triggered  model  of 
computation,  support  for  application-independent  fault  tolerance,  and  partitioning.  The 
time-triggered  model  of  computation  can  be  construed  narrowly  or  broadly.  Narrowly,  it  is 
a  variant  on  the  notion  of  synchronous  system  [35] :  these  are  distributed  computer  systems 
where  there  are  known  upper  bounds  on  the  time  that  it  takes  nonfaulty  processors  to  per¬ 
form  certain  operations,  and  on  the  time  that  it  takes  for  a  message  sent  by  one  nonfaulty 
processor  to  be  received  by  another.  The  existence  of  these  bounds  simplifi  es  the  develop¬ 
ment  of  fault-tolerant  systems  because  nonfaulty  processes  executing  a  common  algorithm 
can  use  the  passage  of  time  to  predict  each  others’  progress,  and  the  absence  of  expected 
messages  can  be  detected.  This  property  contrasts  with  asynchronous  systems,  where  there 
are  no  upper  bounds  on  processing  and  message  delays,  and  where  it  is  therefore  provably 
impossible  to  achieve  certain  forms  of  consistent  knowledge  or  coordinated  action  in  the 
presence  of  even  simple  faults  [9, 17].  Rushby  [52]  presents  a  formal  verification  that  a 
system  possessing  the  synchronization  and  scheduling  mechanisms  of  TTA  can  be  used  to 
create  the  abstraction  of  a  synchronous  system.  An  alternative  model,  closer  to  TTA  in  that 
it  does  not  abstract  out  the  real-time  behavior,  is  that  of  the  language  Giotto  [19]  and  it 
would  be  interesting  to  formalize  the  connection  between  TTA  and  Giotto. 

More  broadly  construed,  the  notion  of  time-triggered  system  encompasses  a  whole  phi¬ 
losophy  of  real-time  systems  design — notably  that  espoused  by  Kopetz  [25].  Kopetz’  broad 
conception  includes  a  distinction  between  composite  and  elementary  interfaces  [27]  and  the 
notion  of  a  temporal  firewall  [24]. 

A  time-triggered  system  does  not  merely  schedule  activity  within  nodes,  it  also  man¬ 
ages  the  reliable  transmission  of  messages  between  them.  Messages  obviously  communi¬ 
cate  data  between  nodes  (and  the  processes  within  them)  but  they  may  also,  through  their 
presence  or  absence  and  through  the  data  that  they  convey,  influence  the  flow  of  control 
within  a  node  or  process  (or,  more  generically,  a  component).  An  important  insight  is  that 
one  component  should  not  allow  another  to  control  its  own  progress.  Suppose,  for  exam¬ 
ple,  that  the  guarantees  delivered  by  component  Jfi  are  quite  weak,  such  as,  “this  buffer 
may  sometimes  contain  recent  data  concerning  parameter  A.”  Another  component  X2  that 
uses  this  data  must  be  prepared  to  operate  when  recent  data  about  A  is  unavailable  (at  least 
from  Xi).  It  might  seem  that  predictability  and  simplicity  would  be  enhanced  if  we  were 
to  ensure  that  the  flow  of  data  about  A  is  reliable — perhaps  using  a  protocol  involving  ac¬ 
knowledgments.  But  in  fact,  contrary  to  this  intuition,  such  a  mechanism  would  greatly 


118 


increase  the  coupling  between  components  and  introduce  more  complicated  failure  propa¬ 
gations.  For  example,  Xi  could  block  waiting  for  an  acknowledgment  from  X2  that  may 
never  come  if  X2  has  failed,  thereby  propagating  the  failure  from  X2  to  Xi.  Kopetz  [27] 
defi  nes  interfaces  that  involve  such  bidirectional  flow  of  control  as  composite  and  argues 
convincingly  that  they  should  be  eschewed  in  favor  of  elementary  interfaces  in  which  con¬ 
trol  flow  is  unidirectional. 

The  need  for  elementary  interfaces  leads  to  protocols  for  nonblocking  asynchronous 
communication  that  nonetheless  ensure  timely  transmission  and  mutual  exclusion  (i.e.,  no 
simultaneous  reading  and  writing  of  the  same  buffer).  In  computer  science,  these  are  known 
as  lock-  and  wait-free  atomic  register  constructions  (  [1]  is  a  convenient  survey,  focussing 
on  the  work  of  Lamport,  who  fi  rst  introduced  the  topic),  but  similar  constructions  were 
developed  independently  in  the  avionics  and  real-time  communities.  The  best-known  of 
these  is  the  four-slot  protocol  of  Simpson  [72].  Formal  analyses  of  Simpson’s  protocol  have 
been  developed  by  Clark  [10]  (using  Petri  nets),  by  Rushby  [59]  (using  model  checking), 
and  by  Henderson  and  Paynter  [18]  (using  PVS).  Hesselink  [21]  have  verifi  ed  some  atomic 
register  constructions  from  the  computer  science  literature  using  ACL2. 

TTA  uses  a  protocol  called  NEW  (nonblocking  write)  [29]  whose  wait-free  element 
was  inspired  by  Simpson’s  algorithm,  and  whose  lock-free  construction  is  that  of  Lamport 
[33].  It  would  be  useful  to  undertake  a  formal  examination  of  NEW  (which  is  used  in 
the  Communication  Network  Interface  (CNI)  that  provides  communication  between  hosts 
and  their  TTA  controllers),  particularly  since  Simpson’s  algorithm  requires  atomic  control 
registers,  and  Rushby’s  analysis  [59]  shows  that  it  fails  when  this  (very  strong)  assumption 
is  violated. 

The  larger  issue  of  formally  characterizing  composite  and  elementary  interfaces  has  not 
yet  been  tackled,  to  my  knowledge.  It  is  debatable  whether  formalization  of  these  notions 
is  best  performed  as  part  of  a  broad  treatment  of  time-triggered  systems,  or  as  part  of  an  or¬ 
thogonal  topic  concerned  with  application-independent  fault  tolerance.  Temporal  firewalls, 
another  element  in  Kopetz’  comprehensive  philosophy  [24],  seem  definitely  to  belong  in 
the  treatment  of  fault  tolerance.  The  standard  way  to  communicate  a  sensor  sample  is  to 
package  it  with  a  timestamp:  then  the  consuming  process  can  estimate  the  “freshness”  of 
the  sample.  Eut  surely  the  useful  lifetime  of  a  sample  depends  on  the  accuracy  of  the  orig¬ 
inal  reading  and  on  the  dynamics  of  the  parameter  being  measured — and  these  factors  are 
better  known  to  the  process  doing  the  sensing  than  to  the  process  that  consumes  the  sam¬ 
ple.  So,  argues  Kopetz,  it  is  better  to  turn  the  timestamp  around,  so  that  it  indicates  the 
“must  use  by”  time,  rather  than  the  time  at  which  the  sample  was  taken.  This  is  the  idea 
of  the  temporal  fi  rewall,  which  exists  in  two  variants.  A  phase-insensitive  sensor  sample 
is  provided  with  a  time  and  a  guarantee  that  the  sampled  value  is  accurate  (with  respect 
to  a  specifi  cation  published  by  the  process  that  provides  it)  until  the  indicated  time.  For 
example,  suppose  that  engine  oil  temperature  may  change  by  at  most  1%  of  its  range  per 
second,  that  its  sensor  is  completely  accurate,  and  that  the  data  is  to  be  guaranteed  to  0.5%. 
Then  the  sensor  sample  will  be  provided  with  a  time  500  ms  ahead  of  the  instant  when  it 


119 


was  sampled,  and  the  receiver  will  know  that  it  is  safe  to  use  the  sampled  value  until  the 
indicated  time.  A  phase-sensitive  temporal  fi  rewall  is  used  for  rapidly  changing  parameters; 
in  addition  to  sensor  sample  and  time,  it  provides  the  parameters  needed  to  perform  state 
estimation.  For  example,  along  with  sampled  crankshaft  angle,  it  may  supply  RPM,  so  that 
angle  may  be  estimated  more  accurately  at  the  time  of  use. 

The  advantage  of  temporal  fi  rewalls  is  that  they  allow  some  of  the  downstream  pro¬ 
cessing  (e.g.,  sensor  fusion)  to  become  less  application  dependent.  Temporal  firewalls  are 
consistent  with  modern  notions  of  smart  sensors  that  co-locate  computing  resources  with 
the  sensor.  Such  resources  allow  a  sensor  to  return  additional  information,  including  an 
estimate  of  the  accuracy  of  its  own  reading.  An  attractive  way  to  indicate  (confidence 
in)  fhe  accuracy  of  a  sensor  reading  is  fo  refurn  fwo  values  (bofh  packaged  in  a  femporal 
firewall)  indicating  fhe  upper  and  lower  95%  (say)  confidence  inferval.  If  several  such  in¬ 
tervals  are  available  from  redundanf  sensors,  fhen  an  inferesfing  question  is  how  besf  fo 
combine  {or  fuse)  fhem.  Marzullo  [36]  infroduces  fhe  sensor  fusion  function 
Ibis  problem;  Rushby  formally  verifies  fhe  soundness  of  fhis  consfrucfion  (i.e.,  fhe  fused 
inferval  always  confains  fhe  correcf  value)  [58].  A  weakness  of  Marzullo ’s  function  is  fhaf 
if  lacks  fhe  “Lipschifz  Condifion”:  small  changes  in  inpuf  sensor  readings  can  somefimes 
produce  large  changes  in  ifs  oufpuf.  Schmid  and  Schossmaier  [65]  have  recenfly  infroduced 
an  improved  fusion  funclion  (5)  fhaf  does  salisfy  fhe  Lipschifz  condifion,  and  is  optimal 
among  all  such  functions.  If  would  be  inferesfing  fo  verify  formally  fhe  properfies  of  fhis 
funclion. 

Principled  faull  tolerance  requires  nol  only  fhaf  redundanf  sensor  values  are  fused  effec¬ 
tively,  buf  fhaf  all  redundanf  consumers  agree  on  exaclly  fhe  same  values;  fhis  is  fhe  nolion 
of  replica  determinism  [46]  fhaf  provides  fhe  foundation  for  state  machine  replication  [67] 
and  olher  melhods  for  applicalion-independenl  faull  tolerance  based  on  exacl-malch  voting. 
Replica  delerminism  in  ifs  torn  depends  on  interactively  consistent  message  passing:  fhaf 
is,  message  passing  in  which  all  nonfaully  recipienls  obfain  fhe  same  value  [43],  even  if 
fhe  sender  and  some  of  fhe  intermediaries  in  fhe  Iransmission  are  faulty  (fhis  is  also  known 
as  fhe  problem  of  Byzantine  Agreement  [34]).  If  is  well  known  [35]  fhaf  inferaclive  consis¬ 
tency  cannol  be  achieved  in  fhe  presence  of  a  single  arbilrary  faull  wilh  less  lhan  fwo  rounds 
of  information  exchange  (one  fo  disseminate  fhe  values,  and  one  to  cross-check),  yel  TTA 
sends  each  message  in  only  a  single  broadcasl.  How  can  we  reconcile  fhis  practice  wilh 
Iheory?  I  suggesl  in  [55]  fhaf  fhe  interaction  of  message  broadcasls  wilh  fhe  group  member¬ 
ship  algorilhm  (which  can  be  seen  as  a  continuously  interleaving  Iwo-round  algorilhm)  in 
TTA  achieves  a  “Draconian  consensus”  in  which  agreemenl  is  enforced  by  removal  of  any 
members  fhaf  disagree.  If  would  be  inferesfing  to  subjecl  Ibis  idea  to  formal  examinalion, 
and  to  conslrucl  an  integrated  formal  Irealmenf  for  application-level  faull  lolerance  in  TTA 
similar  to  Ihose  previously  developed  for  classical  slale  machine  replicalion  [13,48]. 

The  fi  nal  top-level  property  is  fhe  mosl  imporlanl  for  safely-crilical  applications;  if  is 
called  partitioning  and  if  refers  fo  fhe  requiremenl  fhaf  faulls  in  one  componenl  of  TTA,  or 
in  one  application  supporled  by  TTA,  musl  nol  propagate  fo  olher  componenls  and  appli- 


120 


cations,  and  must  not  affect  the  operation  of  nonfaulty  components  and  applications,  other 
than  through  loss  of  the  services  provided  by  the  failed  elements.  It  is  quite  easy  to  develop 
a  formal  statement  of  partitioning — but  only  in  the  absence  of  the  qualifi  cation  introduced  in 
the  fi  nal  clause  of  the  previous  sentence  (see  [51]  for  an  extended  discussion  of  this  topic). 
In  the  absence  of  communication,  partitioning  is  equivalent  to  isolation  and  this  property 
has  a  long  history  of  formal  analysis  in  the  security  community  [47]  and  has  been  adapted 
to  include  the  real-time  attributes  that  are  important  in  embedded  systems  [79].  In  essence, 
formal  statements  of  isolation  state  that  the  behavior  perceived  by  one  component  is  en¬ 
tirely  unchanged  by  the  presence  or  absence  of  other  components.  When  communication 
between  components  is  allowed,  this  simple  statement  no  longer  suffi  ces,  for  if  Xi  supplies 
input  to  X2,  then  absence  of  Xi  certainly  changes  the  behavior  perceived  by  X2.  What  we 
want  to  say  is  that  the  only  change  perceived  by  X2  is  that  due  to  the  faulty  or  missing  data 
supplied  by  Xi  (i.e.,  Xi  must  not  be  able  to  interfere  with  X2’s  communication  with  other 
components,  nor  write  directly  into  its  memory,  and  so  on).  To  my  knowledge,  there  is  no 
fully  satisfactory  formal  statement  of  this  interpretation  of  partitioning. 

It  is  clear  that  properties  of  the  TTA  algorithms  and  architecture  are  crucial  to  partition¬ 
ing  (e.g.,  clock  synchronization,  the  global  schedule,  existence  of  guardians,  the  single-fault 
assumption,  and  transmission  window  timing  are  all  needed  to  stop  a  faulty  node  violating 
partitioning  by  babbling  on  the  bus),  and  there  are  strong  informal  arguments  (backed  by 
experiment)  that  these  properties  are  suffi  cient  [55],  but  to  my  knowledge  there  is  as  yet  no 
comprehensive  formal  treatment  of  this  argument. 

7  Conclusion 

TTA  provides  several  challenging  formal  verifi  cation  problems.  Those  who  wish  to  develop 
or  benchmark  new  techniques  or  tools  can  fi  nd  good  test  cases  among  the  algorithms  and 
requirements  of  TTA.  However,  I  believe  that  the  most  interesting  and  rewarding  problems 
are  those  that  concern  the  interactions  of  several  algorithms,  and  it  is  here  that  new  meth¬ 
ods  of  compositional  analysis  and  verifi  cation  are  mosf  urgenfly  needed.  Examples  include 
fhe  inferacfion  befween  fhe  group  membership  and  clique  avoidance  algorifhms  and  fheir 
join!  behavior  under  various  faull  hypofheses,  fhe  mufual  inferdependence  of  clock  synchro- 
nizafion  and  group  membership,  and  fhe  fop-level  properfies  fhaf  emerge  from  fhe  collective 
inferacfion  of  all  fhe  algorifhms  and  archifecfural  affribufes  of  TTA.  Progress  on  fhese  fronfs 
will  nof  only  advance  fhe  fechniques  and  fools  of  formal  mefhods,  buf  will  sfrengfhen  and 
deepen  lies  befween  fhe  formal  mefhods  and  embedded  systems  communilies,  and  make  a 
valuable  confribulion  fo  assurance  for  fhe  safely-crifical  systems  fhaf  are  increasingly  pari 
of  our  daily  lives. 


121 


Acknowledgments 

Giinther  Bauer  of  TU  Vienna  provided  helpful  eomments  and  eorreetions  for  a  previous 
version  of  this  paper. 


References 

Papers  on  formal  methods  and  automated  verifi  eation  by  SRI  authors  ean  generally  be  lo- 
eated  by  visiting  home  pages  or  doing  a  seareh  from  http:  //www.  csl .  sri  .  com/ 
programs /formalmet hods. 

[1]  James  H.  Anderson.  Lamport  on  mutual  exclusion:  27  years  of  planting  seeds.  In  20th  ACM 
Symposium  on  Principles  of  Distributed  Computing,  pages  3-12,  Association  for  Computing 
Machinery,  Newport,  RI,  August  2001. 

[2]  Anish  Arora  and  Sandeep  S.  Kulkarni.  Detectors  and  correctors:  A  theory  of  fault-tolerance 
components.  In  18th  International  Conference  on  Distributed  Computing  Systems,  pages  436- 
443,  IEEE  Computer  Society,  Amsterdam,  The  Netherlands,  1998. 

[3]  Gunther  Bauer  and  Michael  Paulitsch.  An  investigation  of  membership  and  clique  avoidance 
in  TTP/C.  In  19th  Symposium  on  Reliable  Distributed  Systems,  Nuremberg,  Germany,  October 
2000. 

[4]  Kai  Baukus,  Saddek  Bensalem,  Yassine  Lakhnech,  and  Karsten  Stahl.  Abstracting  WSIS 
systems  to  verify  parameterized  networks.  In  Susanne  Graf  and  Michael  Schwartzbach,  edi¬ 
tors,  Tools  and  Algorithms  for  the  Construction  and  Analysis  of  Systems  (TACAS  2000),  pages 
188-203,  Berlin,  Germany,  March  2000. 

[5]  Kai  Baukus,  Yassine  Lakhnech,  and  Karsten  Stahl.  Verifying  universal  properties  of  parameter¬ 
ized  networks.  In  Matthai  Joseph,  editor.  Formal  Techniques  in  Real-Time  and  Fault-Tolerant 
Systems,  Volume  1926  of  Springer- Verlag  LecfMre  Notes  in  Computer  Science,  pages  291-303, 
Pune,  India,  September  2000. 

[6]  Saddek  Bensalem,  Marius  Bozga,  Jean-Claude  Eernandez,  Lucian  Ghirvu,  and  Yassine 
Lakhnech.  A  transformational  approach  for  generating  non-linear  invariants.  In  Jens  Palsberg, 
editor.  Seventh  International  Static  Analysis  Symposium  (SAS’OO),  Volume  1824  of  Springer- 
Verlag  Lecture  Notes  in  Computer  Science,  pages  58-74,  Santa  Barbara  CA,  June  2000. 

[7]  Saddek  Bensalem  and  Yassine  Lakhnech.  Automatic  generation  of  invariants.  Formal  Methods 
in  Systems  Design,  15(l):75-92,  July  1999. 

[8]  Ahmed  Bouajjani  and  Agathe  Merceron.  Parametric  verification  of  a  group  membership  algo¬ 
rithm.  In  Werner  Damm  and  Ernst-Riidiger  Olderog,  editors.  Formal  Techniques  in  Real-Time 
and  Fault-Tolerant  Systems,  Volume  2469  of  Springer- Verlag  Lecture  Notes  in  Computer  Sci¬ 
ence,  pages  311-330,  Oldenburg,  Germany,  November  2002. 

[9]  Tushar  D.  Chandra,  Vassos  Hadzilacos,  Sam  Toueg,  and  Bernadette  Charron-Bost.  On  the 
impossibility  of  group  membership.  In  Fifteenth  ACM  Symposium  on  Principles  of  Distributed 
Computing,  pages  322-330,  Association  for  Computing  Machinery,  Philadelphia,  PA,  May 
1996. 


122 


[10]  Ian  G.  Clark.  A  Unifi  ed  Approach  to  the  Study  of  Asynchronous  Communication  Mechanisms 
in  Real  Time  Systems.  PhD  thesis,  King’s  College,  London  University,  May  2000. 

[11]  James  Corbett,  Matthew  Dwyer,  John  Hatcliff,  Corina  Pasareanu,  Robby,  Shawn  Laubach, 
and  Hongjun  Zheng.  Bandera:  Extracting  finite-state  models  from  Java  source  code.  In  22nd 
International  Conference  on  Software  Engineering,  pages  439^48,  IEEE  Computer  Society, 
Limerick,  Ireland,  June  2000. 

[12]  S.  J.  Creese  and  A.  W.  Roscoe.  TTP:  A  case  study  in  combining  induction  and  data  indepen¬ 
dence.  Technical  Report  PRG-TR-1-99,  Oxford  University  Computing  Laboratory,  Oxford, 
England,  1999. 

[13]  Ben  L.  Di  Vito  and  Ricky  W.  Butler.  Eormal  techniques  for  synchronized  fault-tolerant  sys¬ 
tems.  In  C.  E.  Landwehr,  B.  Randell,  and  L.  Simoncini,  editors.  Dependable  Computing  for 
Critical  Applications — 3.  Volume  8  of  Springer- Verlag,  Vienna,  Austria  Dependable  Comput¬ 
ing  and  Fault-Tolerant  Systems,  pages  163-188,  September  1992. 

[14]  Jacob  Elgaard,  Nils  Klarlund,  and  Anders  Moller.  Mona  Lx:  New  techniques  for  WSIS 
and  WS2S.  In  Alan  J.  Hu  and  Moshe  Y.  Vardi,  editors,  Computer-Aided  Verifi  cation,  CAV 
’98,  Volume  1427  of  Springer- Verlag  Lecture  Notes  in  Computer  Science,  pages  516-520, 
Vancouver,  Canada,  June  1998. 

[15]  E.  A.  Emerson  and  A.  P.  Sistla,  editors.  Computer-Aided  Verification,  CAV  ’2000,  Volume 
1855  of  Springer- Verlag  Lecture  Notes  in  Computer  Science,  Chicago,  IL,  July  2000. 

[16]  J.-C.  Eilliatre,  S.  Owre,  H.  RueB,  and  N.  Shankar.  ICS:  Integrated  Canonization  and  Solving.  In 
G.  Berry,  H.  Comon,  and  A.  Einkel,  editors,  Computer-Aided  Verifi  cation,  CAV  ’2001,  Volume 
2102  of  Springer- Verlag  Lecture  Notes  in  Computer  Science,  pages  246-249,  Paris,  Prance, 
July  2001. 

[17]  Michael  J.  Pischer,  Nancy  A.  Lynch,  and  Michael  S.  Paterson.  Impossibility  of  distributed 
consensus  with  one  faulty  process.  Journal  of  the  ACM,  32(2):374-382,  April  1985. 

[18]  N.  Henderson  and  S.  E.  Paynter.  The  formal  classification  and  verification  of  Simpson’s  4- 
slot  asynchronous  communication  mechanism.  In  Peter  Lindsay,  editor,  FME  2002:  Formal 
Methods-Getting  IT  Right,  pages  350-369,  Copenhagen,  Denmark,  July  2002. 

[19]  T.A.  Henzinger,  B.  Horowitz,  and  C.M.  Kirsch.  Giotto:  a  time-triggered  language  for  embed¬ 
ded  programming.  In  Henzinger  and  Kirsch  [20],  pages  166-184. 

[20]  Tom  Henzinger  and  Christoph  Kirsch,  editors.  EMSOFT  2001:  Proceedings  of  the  First  Work¬ 
shop  on  Embedded  Software,  Volume  2211  of  Springer- Verlag  Lecture  Notes  in  Computer 
Science,  Lake  Tahoe,  CA,  October  2001. 

[21]  Wim  H.  Hesselink.  An  assertional  criterion  for  atomicity.  Acta  Informatica,  2S(5):343-366, 

2002. 

[22]  C.  B.  Jones.  Tentative  steps  toward  a  development  method  for  interfering  programs.  ACM 
TOPLAS,  5(4):596-619, 1983. 

[23]  Shmuel  Katz,  Pat  Lincoln,  and  John  Rushby.  Low-overhead  time-triggered  group  member¬ 
ship.  In  Marios  Mavronicolas  and  Philippas  Tsigas,  editors,  11th  International  Workshop  on 
Distributed  Algorithms  (WDAG  ’97),  Volume  1320  of  Springer- Verlag  Lecture  Notes  in  Com¬ 
puter  Science,  pages  155-169,  Saarbriicken  Germany,  September  1997. 


123 


[24]  Herman  Kopetz  and  R.  Nossal.  Temporal  firewalls  in  large  distributed  real-time  systems.  In  6th 
IEEE  Workshop  on  Future  Trends  in  Distributed  Computing,  pages  310-315,  IEEE  Computer 
Society,  Tunis,  Tunisia,  October  1997. 

[25]  Hermann  Kopetz.  Real-Time  Systems:  Design  Princples  for  Distributed  Embedded  Applica¬ 
tions.  The  Kluwer  International  Series  in  Engineering  and  Computer  Science.  Kluwer,  Dor¬ 
drecht,  The  Netherlands,  1997. 

[26]  Hermann  Kopetz.  The  time-triggered  model  of  computation.  In  Real  Time  Systems  Symposium, 
IEEE  Computer  Society,  Madrid,  Spain,  December  1998. 

[27]  Hermann  Kopetz.  Elementary  versus  composite  interfaces  in  distributed  real-time  systems.  In 
The  Fourth  International  Symposium  on  Autonomous  Decentralized  Systems,  IEEE  Computer 
Society,  Tokyo,  Japan,  March  1999. 

[28]  Hermann  Kopetz  and  Gunter  Griinsteidl.  TTP— a  protocol  for  fault-tolerant  real-time  systems. 
IEEE  Computer,  27(1):  14-23,  January  1994. 

[29]  Hermann  Kopetz  and  Johannes  Reisinger.  The  non-blocking  write  protocol  NEW:  A  solution 
to  a  real-time  synchronization  problem.  In  Real  Time  Systems  Symposium,  pages  131-137, 
IEEE  Computer  Society,  Raleigh-Durham,  NC,  December  1993. 

[30]  Sandeep  Kulkarni,  John  Rushby,  and  N.  Shankar.  A  case  study  in  component-based  mechan¬ 
ical  verification  of  fault-tolerant  programs.  In  ICDCS  Workshop  on  Self-Stabilizing  Systems, 
pages  33^0,  IEEE  Computer  Society,  Austin,  TX,  June  1999. 

[31]  Sandeep  S.  Kulkarni.  Component-Based  Design  of  Fault  Tolerance.  PhD  thesis.  The  Ohio 
State  University,  Columbus,  OH,  1999. 

[32]  L.  Lamport  and  P.  M.  Melliar-Smith.  Synchronizing  clocks  in  the  presence  of  faults.  Journal 
of  the  ACM,  32(l):52-78,  January  1985. 

[33]  Leslie  Lamport.  Concurrent  reading  and  writing.  Association  for  Computing  Machinery, 
20(1 1):806-811,  November  1977. 

[34]  Leslie  Lamport,  Robert  Shostak,  and  Marshall  Pease.  The  Byzantine  Generals  problem.  ACM 
Transactions  on  Programming  Languages  and  Systems,  4(3):382^01,  July  1982. 

[35]  Nancy  A.  Lynch.  Distributed  Algorithms.  Morgan  Kaufmann  Series  in  Data  Management 
Systems.  Morgan  Kaufmann,  San  Erancisco,  CA,  1996. 

[36]  Keith  Marzullo.  Tolerating  failures  of  continuous-valued  sensors.  ACM  Transactions  on  Com¬ 
puter  Systems,  8(4):284-304,  November  1990. 

[37]  K.  L.  McMillan.  Circular  compositional  reasoning  about  liveness.  In  Laurence  Pierre  and 
Thomas  Kropf,  editors.  Advances  in  Hardware  Design  and  Verifi  cation:  IFIP  WG10.5  Inter¬ 
national  Conference  on  Correct  Hardware  Design  and  Verifi  cation  Methods  ( CHARME  ’99), 
Volume  1703  of  Springer- Verlag  Lecture  Notes  in  Computer  Science,  pages  342-345,  Bad 
Herrenalb,  Germany,  September  1999. 

[38]  Paul  S.  Miner.  Verification  of  fault-tolerant  clock  synchronization  systems.  NASA  Technical 
Paper  3349,  NASA  Langley  Research  Center,  Hampton,  VA,  November  1993. 

[39]  Jayadev  Misra  and  K.  Mani  Chandy.  Proofs  of  networks  of  processes.  IEEE  Transactions  on 
Software  Engineering,  7(4):4 17^26,  July  1981. 


124 


[40]  Kedar  S.  Namjoshi  and  Richard  J.  Trefbr.  On  the  completeness  of  compositional  reasoning. 
In  Emerson  and  Sistla  [15],  pages  139-153. 

[41]  Sam  Owre,  John  Rushby,  Natarajan  Shankar,  and  Friedrich  von  Henke.  Formal  verification 
for  fault-tolerant  architectures:  Prolegomena  to  the  design  of  PVS.  IEEE  Transactions  on 
Software  Engineering,  21(2):  107-125,  February  1995. 

[42]  Michael  Paulitsch  and  Wilfried  Steiner.  The  transition  from  asynchronous  to  synchronous  sys¬ 
tem  operation:  An  approach  for  distributed  fault-tolerant  systems.  In  The  22nd  International 
Conference  on  Distributed  Computing  Systems  (ICDCS  ’02),  pages  329-336,  IEEE  Computer 
Society,  Vienna,  Austria,  July  2002. 

[43]  M.  Pease,  R.  Shostak,  and  L.  Lamport.  Reaching  agreement  in  the  presence  of  faults.  Journal 
of  the  ACM,  27(2):228-234,  April  1980. 

[44]  Holger  Pfeifer.  Formal  verification  of  the  TTA  group  membership  algorithm.  In  Tommaso 
Bolognesi  and  Diego  Latella,  editors.  Formal  Description  Techniques  and  Protocol  Specif  ca¬ 
tion,  Testing  and  Verifi  cation  FORTE  XIII/PSTV  XX  2000,  pages  3-18,  Pisa,  Italy,  October 
2000. 

[45]  Holger  Pfeifer,  Detlef  Schwier,  and  Friedrich  W.  von  Henke.  Formal  verification  for  time- 
triggered  clock  synchronization.  In  Weinstock  and  Rushby  [77],  pages  207-226. 

[46]  Stefan  Poledna.  Fault-Tolerant  Systems:  The  Problem  of  Replica  Determinism.  The  Kluwer  In¬ 
ternational  Series  in  Engineering  and  Computer  Science.  Kluwer,  Dordrecht,  The  Netherlands, 
1996. 

[47]  John  Rushby.  The  design  and  verification  of  secure  systems.  In  Eighth  ACM  Symposium  on 
Operating  System  Principles,  pages  12-21,  Asilomar,  CA,  December  1981.  (ACM  Operating 
Systems  Review,  Vol.  15,  No.  5). 

[48]  John  Rushby.  A  fault-masking  and  transient-recovery  model  for  digital  fight-control  systems. 
In  Jan  Vytopil,  editor.  Formal  Techniques  in  Real-Time  and  Fault-Tolerant  Systems,  Kluwer 
International  Series  in  Engineering  and  Computer  Science,  chapter  5,  pages  109-136.  Kluwer, 
Boston,  Dordecht,  London,  1993. 

[49]  John  Rushby.  A  formally  verified  algorithm  for  clock  synchronization  under  a  hybrid  fault 
model.  In  Thirteenth  ACM  Symposium  on  Principles  of  Distributed  Computing,  pages  304- 
313,  Association  for  Computing  Machinery,  Los  Angeles,  CA,  August  1994.  Also  available 
as  NASA  Contractor  Report  198289. 

[50]  John  Rushby.  Automated  deduction  and  formal  methods.  In  Rajeev  Alur  and  Thomas  A. 
Henzinger,  editors,  Computer-Aided  Verifi  cation,  CAV  ’96,  Volume  1102  of  Springer- Verlag 
Lecture  Notes  in  Computer  Science,  pages  169-183,  New  Brunswick,  NJ,  July/ August  1996. 

[51]  John  Rushby.  Partitioning  for  avionics  architectures:  Requirements,  mechanisms,  and 
assurance.  NASA  Contractor  Report  CR- 1999-209347,  NASA  Langley  Research  Cen¬ 
ter,  June  1999.  Available  at  http://www.csl.sri.com/~rushby/abstracts/ 
partitioning,  and  http  :  /  /  tech  reports  .larc.nasa.  gov/ ltrs/PDF/1999/ 
cr /NASA-  99-cr2  0  934  7  .  pdf;  also  issued  by  the  FAA. 

[52]  John  Rushby.  Systematic  formal  verification  for  fault-tolerant  time-triggered  algorithms.  IEEE 
Transactions  on  Software  Engineering,  25(5):65 1-660,  September/October  1999. 


125 


[53]  John  Rushby.  Verification  diagrams  revisited;  Disjunctive  invariants  for  easy  verification.  In 
Emerson  and  Sistla  [15],  pages  508-520. 

[54]  John  Rushby.  Bus  architectures  for  safety-critical  embedded  systems.  In  Henzinger  and  Kirsch 
[20],  pages  306-323. 

[55]  John  Rushby.  A  comparison  of  bus  architectures  for  safety-critical  embedded  systems.  Techni¬ 
cal  report.  Computer  Science  Laboratory,  SRI  International,  Menlo  Park,  CA,  September  2001 . 
Available  at  http  :  /  /  www .  csl .  sri  .  com/  '  rushby /abstracts /bus  compare. 

[56]  John  Rushby.  Formal  verification  of  McMillan’s  compositional  assume-guarantee  rule.  Tech¬ 
nical  report.  Computer  Science  Laboratory,  SRI  International,  Menlo  Park,  CA,  September 
2001. 

[57]  John  Rushby.  Formal  verification  of  transmission  window  timing  for  the  time-triggered  archi¬ 
tecture.  Technical  report.  Computer  Science  Laboratory,  SRI  International,  Menlo  Park,  CA, 
March  2001. 

[58]  John  Rushby.  Formal  verification  of  Marzullo’s  sensor  fusion  interval.  Technical  report.  Com¬ 
puter  Science  Laboratory,  SRI  International,  Menlo  Park,  CA,  January  2002. 

[59]  John  Rushby.  Model  checking  Simpson’s  four-slot  fully  asynchronous  communication  mech¬ 
anism.  Technical  report.  Computer  Science  Laboratory,  SRI  International,  Menlo  Park,  CA, 
July  2002. 

[60]  John  Rushby  and  Friedrich  von  Henke.  Formal  verification  of  algorithms  for  critical  systems. 
IEEE  Transactions  on  Software  Engineering,  19(l):13-23,  January  1993. 

[61]  John  Rushby,  Friedrich  von  Henke,  and  Sam  Owre.  An  introduction  to  formal  specification 
and  verification  using  Ehdm.  Technical  Report  SRTCSL-91-2,  Computer  Science  Laboratory, 
SRI  International,  Menlo  Park,  CA,  February  1991. 

[62]  Hassen  Saidi  and  Susanne  Graf.  Construction  of  abstract  state  graphs  with  PVS.  In  Orna 
Grumberg,  editor,  Computer-Aided  Verifi  cation,  CAV  ’97,  Volume  1254  of  Springer- Verlag 
Lecture  Notes  in  Computer  Science,  pages  72-83,  Haifa,  Israel,  June  1997. 

[63]  Hassen  Saidi  and  N.  Shankar.  Abstract  and  model  check  while  you  prove.  In  Nicolas  Halb- 
wachs  and  Doron  Peled,  editors,  Computer-Aided  Verifi  cation,  CAV  ’99,  Volume  1633  of 
Springer- Verlag  Lecture  Notes  in  Computer  Science,  pages  443^54,  Trento,  Italy,  July  1999. 

[64]  Ulrich  Schmid.  How  to  model  link  failures:  A  perception-based  fault  model.  In  The  In¬ 
ternational  Conference  on  Dependable  Systems  and  Networks,  pages  57-66,  IEEE  Computer 
Society,  Goteborg,  Sweden,  July  2001. 

[65]  Ulrich  Schmid  and  Klaus  Schossmaier.  How  to  reconcile  fault-tolerant  interval  intersection 
with  the  Lipschitz  condition.  Distributed  Computing,  14(2):101-111,  May  2001. 

[66]  Fred  B.  Schneider.  Understanding  protocols  for  Byzantine  clock  synchronization.  Techni¬ 
cal  Report  87-859,  Department  of  Computer  Science,  Cornell  University,  Ithaca,  NY,  August 
1987. 

[67]  Fred  B.  Schneider.  Implementing  fault-tolerant  services  using  the  state  machine  approach:  A 
tutorial.  ACM  Computing  Surveys,  22(4):299-319,  December  1990. 


126 


[68]  Marco  Schneider.  Self  stabilization.  ACM  Computing  Surveys,  25(l):45-67,  March  1993. 

[69]  D.  Schwier  and  F.  von  Henke.  Mechanical  verification  of  clock  synchronization  algorithms.  In 
Formal  Techniques  in  Real-Time  and  Fault-Tolerant  Systems,  Volume  1486  of  Springer- Verlag 
Lecture  Notes  in  Computer  Science,  pages  262-271,  Lyngby,  Denmark,  September  1998. 

[70]  Natarajan  Shankar.  Mechanical  verification  of  a  generalized  protocol  for  Byzantine  fault- 
tolerant  clock  synchronization.  In  J.  Vytopil,  editor.  Formal  Techniques  in  Real-Time  and 
Fault-Tolerant  Systems,  Volume  571  of  Springer- Verlag  Lecture  Notes  in  Computer  Science, 
pages  217-236,  Nijmegen,  The  Netherlands,  January  1992. 

[71]  Natarajan  Shankar.  Combining  theorem  proving  and  model  checking  through  symbolic  anal¬ 
ysis.  In  CONCUR  2000:  Concurrency  Theory,  pages  1-16,  State  College,  PA,  August  2000. 
Available  at  ftp://ftp.csl.sri.  com/pub/user  s/shankar/  concur2000  .  ps  . 
gz. 

[72]  H.  R.  Simpson.  Four-slot  fully  asynchronous  communication  mechanism.  lEE  Proceedings, 
Part  E:  Computers  and  Digital  Techniques,  137(1):  17-30,  January  1990. 

[73]  T.  K.  Srikanth  and  Sam  Toueg.  Optimal  clock  synchronization.  Journal  of  the  ACM, 
34(3):626-645,July  1987. 

[74]  Philip  Thambidurai  and  You-Keun  Park.  Interactive  consistency  with  multiple  failure  modes. 
In  7th  Symposium  on  Reliable  Distributed  Systems,  pages  93-100,  IEEE  Computer  Society, 
Columbus,  OH,  October  1988. 

[75]  Specif  cation  of  the  TTP/C  Protocol  (version  0.6p0504).  Time-Triggered  Technology  TTTech 
Computertechnik  AG,  Vienna,  Austria,  May  2001. 

[76]  Ashish  Tiwari,  Harald  RueB,  Hassen  Saidi,  and  N.  Shankar.  A  technique  for  invariant  genera¬ 
tion.  In  T.  Margaria  and  W.  Yi,  editors.  Tools  and  Algorithms  for  the  Construction  and  Analysis 
of  Systems:  7  th  International  Conference,  7i4CA52007,  Volume  2031  of  Springer- Verlag  Lec- 
ture  Notes  in  Computer  Science,  pages  113-127,  Genova,  Italy,  April  2001. 

[77]  Charles  B.  Weinstock  and  John  Rushby,  editors.  Dependable  Computing  for  Critical 
Applications — 7,  Volume  12  of  IEEE  Computer  Society  Dependable  Computing  and  Fault 
Tolerant  Systems,  San  Jose,  CA,  January  1999. 

[78]  J.  Lundelius  Welch  and  N.  Lynch.  A  new  fault-tolerant  algorithm  for  clock  synchronization. 
Information  and  Computation,  77(l):l-36,  April  1988. 

[79]  Matthew  M.  Wilding,  David  S.  Hardin,  and  David  A.  Greve.  Invariant  performance:  A 
statement  of  task  isolation  useful  for  embedded  application  integration.  In  Weinstock  and 
Rushby  [77],  pages  287-300. 


127 


